US trading platform Robinhood Markets has admitted that client data has been stolen by crooks who tricked a customer support employee.
The social engineering attack on November 3 allowed miscreants to access customer support systems where they took data including the names of two million customers and more extensive data on a small number of customers.
In a statement issued on Monday (November 8), Robinhood Markets sought to play down fears by stating that it hasn’t come across any evidence that any financially sensitive information was exposed by the breach.
“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” the firm said.
Robinhood’s ongoing investigation have revealed that for a small subset of its customers – around 310 – their name, date of birth, and zip code, was exposed. In addition, 10 customers had “more extensive account details” revealed.
The financial services firm is in the process of contacting those most affected directly.
The exposed email addresses make it likely that Robinhood customers will find themselves targeted with follow-up phishing attacks seeking to hoodwink potential marks into handing over more sensitive information, so extra vigilance is strongly recommended.
Ken Westin, director of security strategy at threat intel firm Cybereason, commented: “Minimally impacted consumer info can still be leveraged for secondary phishing attacks to gain access to accounts, making it critically important for their customers to be vigilant while regularly checking their accounts for any signs of fraud.”
Social engineering
Robinhood Markets said that after detecting the intrusion, the as-yet-unidentified crooks attempted to obtain an extortionate payment.
The financial services firm rebuffed this request and called in help from incident response experts and the police.
“We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm,” Robinhood Markets said.
Third-party security firms said the incident highlighted the importance of employee training as well as technical countermeasures such as multi-factor authentication to sensitive systems and least privileged access.
Chris Deverill, UK director at Orange Cyberdefense, commented: “The fact malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness.”
Cybereason’s Westin added: “The breach appears to be the result of social engineering of a single customer support employee and a reminder that humans are oftentimes the weakest link in the ecosystem. To reduce risks, companies should have multiple layers of controls in place with restrictions on who can access mission critical data.”
Source: https://portswigger.net/daily-swig/security-breach-at-trading-platform-robinhood-sparks-phishing-fears