UPDATED 20:40 EDT / NOVEMBER 08 2021

SECURITY

Social engineering attack on Robinhood affects 7M customers

Robinhood Markets Inc. has suffered a data breach, with the details of about 7 million customers stolen.

The company said in a blog post that the “data security incident” was detected on Nov. 3 and involved an unauthorized third party obtaining access to personal information for a portion of customers. While not providing specific details, Robinhood said that the attack vector involved the third party socially engineering a customer support employee by phone and obtaining access to certain customer support systems.

With access gained through social engineering, the third party then obtained the email addresses of about 5 million Robinhood customers and 2 million full names for a different group. The details of a small number of people, about 310 in total, were also compromised, with names, dates of birth and zip codes exposed. About 10 of those customers also had more extensive account details revealed.

The person behind the theft of the data demanded payment not to release the stolen information. Robinhood said that it had contacted law enforcement and was working with Mandiant Inc. to investigate the incident.

Robinhood being hacked in any form makes this a story notable, but it takes an interesting twist with social engineering. A typical social engineering attack consists of a cybercriminal psychologically manipulating a victim into performing actions or divulging informatio

Sometimes that might be pretending to be a senior company employee. This social engineering attack targeted Robinhood’s customer support by phone. The company’s customer support has only been recently expanded, with the company mentioning its deployment of 24/7 customer support in its most recent earnings report.

“Social engineering continues to play a significant role in spreading malware and ransomware as well as in breaches such as this one,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “The bad actors behind these attacks are often highly-skilled and very convincing when they get a potential victim on the line.”

Unfortunately, he added, technology is not good at stopping these attacks, so the best defense against these attempts is education and training. “Employees should be trained to spot and report social engineering and phishing attacks using short, focused training modules and organizations should have a policy telling employees how to report these attacks,” Kron advised.

Image: Robinhood

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU