Buzzy brokerage app Robinhood Markets is the latest victim of a cyberhack, disclosing earlier this week that the personal information of some 7 million users was exposed. According to Bloomberg, the “intruder made off with email addresses of about 5 million Robinhood users, as well as full names for a separate group of 2 million, and demanded an extortion payment.” For a smaller group of just over 300 people, “even more personal data was exposed, including names, birth dates and ZIP codes.” The breach follows a separate incident last year in which nearly 2,000 Robinhood accounts were compromised and robbed of their contents.
While a high-profile breach is—unfortunately, in the current environment—hardly rare, this latest Robinhood episode is noteworthy for several reasons. First, it comes despite the company’s public proclamations of itself as a “safety first” company that’s trying to “convince users and watchful regulators” that it can protect its data. Second, the breach appears to have direct ties to the account attacks from last year, during which affected users complained that Robinhood had no functioning customer service assistance available to help them navigate the theft. Robinhood hired scores of customer-service reps in the wake of the incident, but in doing so it inadvertently opened up a new path to its attackers. As TechCrunch reported, the company admitted that the hacker “socially engineered a customer service representative over the phone . . . to get access to customer support systems.” That admission will likely be fodder for further investigation by authorities and perhaps even litigation, and it should also serve as a reminder for all of us of the importance of cybersecurity awareness and training for all employees—not just those in a company’s IT department.