On November 3, 2021, a hacker socially engineered a customer support employee by phone and, through a customer service call that was escalated, obtained access to some customer support systems, enabling the hacker to obtain email addresses of about 5 million Robinhood users, as well as full names for a separate group of about 2 million. For a smaller group of 310 customers, even more personal data was exposed, including names, birth dates, and ZIP codes, with more extensive information belonging to a group of about 10 customers. Days later, the company published an updated blog post on Nov. 16 alerting users that over 4,400 phone numbers were also stolen.
Robinhood indicated it believed no Social Security, bank account, or debit-card numbers were exposed in the hack, and that no customers incurred financial losses. Robinhood stated that it contained the breach and notified law enforcement, as well as enlisting a security firm to investigate further. Nonetheless, shares of Robinhood fell 3% after the announcement.
In a separate episode in 2020, almost 2,000 Robinhood accounts were compromised in a hacking spree, where customer accounts were looted. Back then, Robinhood caught criticism for its shortcomings in customer support and worked to staff up.
Why is this important?
Evidently, Robinhood’s efforts to staff up quickly in response to their customer support shortcomings may have created a new security vulnerability, with newly hired customer support staff lacking the necessary security training to avoid social engineering attacks. This cyberattack illustrates that the protection of sensitive information is only as good as the knowledge and expertise of the people protecting that information.
What does this mean to me?
Training can often be the weakest link when it comes to cyberattacks, especially with new employees. Embracing the concept of a zero-trust network to limit access to sensitive information for employees is always a best practice to protecting that sensitive information. Never trust, always verify!
The hacker was able to socially engineer their way past customer service on the phone. That tells us at least two things: the organization needs better security awareness training, and it needs to implement Multi-Factor Authentication (MFA) for remote access to resources. Also, it should be prepared for all types of incidents; keeping the Incident Response Plan (IRP) updated and well-practiced is smart security management.
- Security Awareness Training
- Incident Response Readiness – Updated IR Plan, Tabletop exercises specific to social engineering
Commonality of attack
Article on story
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.