Robinhood Markets Inc. has suffered a data breach, with the details of about 7 million customers stolen.

The company said in a blog post that the “data security incident” was detected on Nov. 3 and involved an unauthorized third party obtaining access to personal information for a portion of customers. While not providing specific details, Robinhood said that the attack vector involved the third party socially engineering a customer support employee by phone and obtaining access to certain customer support systems.

With access gained through social engineering, the third party then obtained the email addresses of about 5 million Robinhood customers and 2 million full names for a different group. The details of a small number of people, about 310 in total, were also compromised, with names, dates of birth and zip codes exposed. About 10 of those customers also had more extensive account details revealed.

The person behind the theft of the data demanded payment not to release the stolen information. Robinhood said that it had contacted law enforcement and was working with Mandiant Inc. to investigate the incident.

Robinhood being hacked in any form makes this a story notable, but it takes an interesting twist with social engineering. A typical social engineering attack consists of a cybercriminal psychologically manipulating a victim into performing actions or divulging informatio

Sometimes that might be pretending to be a senior company employee. This social engineering attack targeted Robinhood’s customer support by phone. The company’s customer support has only been recently expanded, with the company mentioning its deployment of 24/7 customer support in its most recent earnings report.

“Social engineering continues to play a significant role in spreading malware and ransomware as well as in breaches such as this one,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “The bad actors behind these attacks are often highly-skilled and very convincing when they get a potential victim on the line.”

Unfortunately, he added, technology is not good at stopping these attacks, so the best defense against these attempts is education and training. “Employees should be trained to spot and report social engineering and phishing attacks using short, focused training modules and organizations should have a policy telling employees how to report these attacks,” Kron advised.

Image: Robinhood