US trading platform Robinhood is at the center of a data breach affecting up to 7 million of the popular investing app’s users after falling victim to a social engineering attack on 3rd November 2021.
- November 3rd, 2021: An unauthorized third-party undertook a social engineering attack via telephone communication with Robinhood customer support, gaining access to some customer support systems.
- November 8th, 2021: Robinhood releases a statement to confirm and detail the occurrence of a ‘data security incident’ and the remediation steps being taken as per the company’s incident response plan.
The threat actor is reported to have compromised varying amounts and types of sensitive data during the security incident, including:
- The email addresses of approximately five million people
- Full names of approximately two million separate people
- Additional personally identifiable information (PII) of approximately 310 customers - name, date of birth, zipcode
- Further PII of approximately ten customers
Other sensitive data such as Social Security numbers, bank account numbers, and debit card numbers are not believed to have been exposed. Customers have not experienced any financial losses to date due to the security incident.
The attack’s motives appear to be financial, as the threat actor is reported to have demanded extortion payment following Robinhood’s containment of the breach.
Robinhood took the following actions following the attack:
- Contacting law enforcement
- Engaging an external security firm
- Alerting those affected by the malicious disclosure
The growing number of social engineering attacks highlights the importance of cybersecurity awareness training programs for staff, as mitigating human errors proves an effective attack surface management technique.