What is Robinhood?
Robinhood is a financial service provider that allows users to trade stocks, funds and cryptocurrency via their proprietary app. Based in Menlo Park, California, Robinhood’s mission is to equalize and simplify access to the stock market so that everyday people are able to capitalize on it in ways that were previously over complicated or felt to be only achievable by the wealthy.
Robinhood, being in finance, requires users to provide the company with Social Security numbers as well as banking account numbers and more. Because of this, the company possesses valuable personal data on its users making it a prime target for hackers and ransomware attacks.
The FBI recently released a Private Industry Notification encouraging financial institutions to stay on guard as ransomware attackers look to major financial events like acquisitions or mergers for extortion opportunities.
Why is Robinhood controversial?
2020 hack and theft
In 2020, Robinhood fell victim to a spree of hacks that resulted in 2,000 customers having their money stolen from their accounts as hackers sold off their stock and made away with the profits. In the face of the theft, customers felt that the company was not reachable to voice their concerns. Robinhood encouraged users to initiate two-factor identification on their accounts, but many customers insisted that they already had that in place and were still victimized.
The lack of human support, and waiting periods of up to multiple weeks for responses from the company, resulted in many losing faith in Robinhood, preferring to invest via institutions that are more capable when it comes to customer service.
2021 GameStop stock trading
While not a hack, in early 2021, posters on Reddit pooled together to purchase stock shares in floundering video game retailer GameStop to make quick money while simultaneously antagonizing hedge funds. The resulting market volatility was unprecedented, causing Robinhood to restrict purchases of certain stocks that the company felt also had potential to be leveraged in the same manner.
Robinhood’s restrictions seemed to work counter to both the company’s namesake and mission statement. While they eventually allowed some trading to continue to take place for GameStop and other stocks, users felt that the company sided with Wall Street and caved under pressure after it allowed outsiders to work the system in the way that the super wealthy have for decades without consequence.
Robinhood has yet to fully recover its reputation as a result of its reactionary restrictions, upsetting traders, users and regulators alike.
FINRA’s $70 million fine
Earlier this year, the Financial Industry Regulatory Authority (FINRA) fined Robinhood $70 million for misleading customers, outages and breaking rules that are designed to protect investors as well as the market itself from potential ruin. There fine is the largest that FINRA has ever issues.
The November Robinhood hack
On November 3rd, 2021, Robinhood fell victim to a data breach that exposed data related to around seven million users. The company stated that around five million users had their email addresses exposed and two million others had their full names exposed.
The company’s official statement also said that approximately 310 users had their birth dates, zip codes and names revealed. A smaller group of 10 users had “more extensive account details revealed.”
As Robinhood worked to contain the breach and mitigate the extent of it, the threat actors presented an extortion attempt against the company via ransomware.
Robinhood affirms that no financial loss of any kind took place for affected users and no Social Security numbers or financial data was accessed. The company has notified the authorities and enlisted the help of cybersecurity firm Mandiant as they continue to investigate the incident.
How was Robinhood hacked?
According to Robinhood, an “unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.”
While this description as to how an unauthorised user was able to gain access to Robinhood’s customer data is vague to say the least, it implies that someone was able to trick a customer service representative into allowing them access to company databases that are meant for internal use only.
As with many of the recent, high profile hacks over the past few years, it would seem that the breach of Robinhood relied less on savvy hackers at the top of their game and more so on simply finding the weakest link in a company’s security and exploiting it.
In much the same way companies describe successful hacks as “highly sophisticated” in order to place emphasis on the abilities of the criminals as opposed to their own deficiencies in security, the use of the term “socially engineered” in Robinhood’s statement feels as though it is masking the simple truth that Robinhood likely has not adequately trained its employees in proper cybersecurity protocols. To put it more plainly, an employee was apparently fooled into allowing an outsider access to Robinhood’s data.
How could the Robinhood hack have been prevented?
One of the leading causes of data breaches and unauthorized intrusion is poorly trained staff that have not been educated on how to identify phishing attempts, fraudulent emails or other common scams. After 2020’s hack and the criticism that the company received as a result of its poor customer service, Robinhood tripled the size of its support staff. This expedited growth and hiring spree may be partially to blame for inadequately trained employees, as small companies that experience extreme, rapid expansion are frequently victims of cybercrime as their resources are spread thin in order to keep up with demand.
As recently as a few years ago, training customer service representatives in cybersecurity basics may not have made much sense and certainly would not have been a priority. However, hackers have become acutely aware that even the most robust network security can be circumvented by simply taking advantage of someone on the inside. Once allowed access to a company’s network, the hard part is done and a cybercriminal can set up shop however they choose.
Regular, staff-wide cybersecurity training is a necessity for modern business safety. From the employees at the front desk to the developers who spend their days immersed in code, companies should expect any employee to be a potential target.
Robinhood regularly touts itself as a “safety first” company. This recent lapse in their security shows that they need to do more to make good on that promise.
How to maintain good cybersecurity habits
1: Stay privy. Tap into online cybersecurity resources to keep your finger on the pulse of today’s threats and security trends. Encourage employees to do the same, possible by compiling a regular newsletter of recent cybersecurity developments.
2: Update everything. Keep your hardware and software alike up to date. You can purchase refurbished equipment from a reputable supplier in order to modernize your system without going over budget.
3: Educate your staff. Time and again, we see human error at the root of cybercrime. Teach your staff how to identify and even isolate suspicious emails or messages. Be sure that they maintain good password strength and are regularly updated in today’s always changing cybersecurity landscape.
4: Use a Virtual Private Network (VPN). While not foolproof, a VPN can provide an additional layer of privacy for you and your company when it comes to online traffic.
Sources
Robinhood Internal Probe Finds Hackers Hit Almost 2,000 Accounts by Sophie Alexander, 15 Oct 2020, Bloomberg
Robinhood Announces Data Security Incident — Under the Hood by Robinhood, 8 Nov 2021
Robinhood backlash: What you should know about the GameStop stock controversy by Oscar Gonzales and David Priest, 17 March 2021, CNet
Robinhood Data Breach Nightmare Hinged on Customer Service Slip by Annie Massa, 9 Nov 2021, Claims Journal
Robinhood Data Breach Hits Seven Million Customers by Phil Muncaster, Infosecurity Magazine
Robinhood is fined $70 million over misleading customers and system outages by Michael J. de la Merced and Erin Griffith, 21 July 2021, The New York Times
