Trading platform Robinhood has announced that more than seven million of its customers have been impacted by a data breach.
“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” disclosed Robinhood on its own accord.
The platform, which earned infamy during the GameStop saga, shared that the attack was orchestrated by socially engineering a lone customer support executive over the phone to obtain access to certain customer support systems.
Through this access, the attacker was able to pull up a list of email addresses for about five million people, and full names for a separate group of two million people.
Damage control
A smaller group of about 310 users lost additional personally identifiable information (PII), including their names, dates of birth, and zip codes, while “more extensive account details” were revealed about another ten customers.
Robinhood claims that it was able to contain the incident, and is continuing to investigate the incident with the help of cybersecurity firm Mandiant.
Robinhood also shared that it was approached by the attackers who sought an “extortion payment.” However, the platform says it instead notified law enforcement, though it didn’t explicitly mention that it did not engage with the perpetrators.
Weakest link
Cybersecurity experts TechRadar Pro spoke to says the incident is a reminder that humans are oftentimes the weakest link in the ecosystem.
“To reduce risks, companies should have multiple layers of controls in place with restrictions on who can access mission critical data. This can be challenging for financial services companies with employees working remotely from home and customer data and systems becoming more distributed across on-premises, cloud and SaaS infrastructures,” says Ken Westin, Director, Security Strategy, Cybereason.
Alicia Townsend, technology evangelist with identity management experts OneLogin agrees, adding that “this incident highlights two important points: educating employees about possible cybersecurity threats especially social engineering threats and limiting access to customer information to the bare minimum for employees based upon their job role.”
Thwarting social engineering attacks
However, Trevor Morgan, product manager with data security specialists comforte AG says training doesn’t address the root problem that helps facilitate social engineering attacks such as this.
Morgan says most employees work in a hyper-accelerated data environment, where any delay in providing or sharing information can halt progress. He believes this is exactly the vulnerability that social engineering preys upon.
To eradicate the problem, Morgan suggests businesses should build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information.
Furthermore, he suggests IT leaders consider data-centric security as a means to protect sensitive data itself rather than the perimeters around data.
“Tokenization for example not only makes sensitive data elements incomprehensible, but it also preserves data format so business applications and users can still work with the data in protected states. If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised,“ explains Morgan.
