Robinhood Could Face Legal Action After Hack Targets 2,000 User Accounts

Stock trading and investing app, Robinhood, recently admitted that nearly 2,000 brokerage accounts were compromised in a data breach—two weeks after initially describing it as a limited attack.

ByDani Alexis Ryskamp, J.D.

Updated on

Robinhood Could Face Legal Action After Hack Targets 2,000 User Accounts

Hackers were able to access customer account information, including controlling trades and account funds. Given the sensitive information at stake and the delay in addressing the severity of the hack, the company could soon face lawsuits from impacted users and other parties.

Details of the Robinhood Hack

In early October 2020, Robinhood announced that “a limited number” of accounts had been compromised after the user’s login email address for their Robinhood accounts had been targeted elsewhere. As an internal review progressed, however, the number of compromised accounts increased. Two weeks after the initial announcement, Robinhood revised its estimate upward, to nearly 2,000 impacted accounts. The company has approximately 13 million customers. To date, this is the company’s largest security breach.

Despite the relatively small number of hacked accounts compared to the number of overall Robinhood users, the breach raises significant concerns, because many of the hacked accounts used two-factor authentication. Two-factor authentication verifies a user’s identity with two pieces of information: something they know, like a password, and something they have, like a smartphone. For instance, a common two-factor authentication setup first asks for a password. If the correct password is given, the second step sends a text message to the user’s phone with a code. If the user inputs the code correctly, the system assumes that they are who they say they are, because they both know the account holder’s password and have access to the account holder’s smartphone.

Two-factor authentication is supposed to be far more difficult for hackers to bypass because it demands access to both login information and a physical object, like a smartphone. The fact that such authentication was compromised here raises new concerns about data security measures that are considered best practices.

A History of Brokerage Data Breaches

Targeted cyberattacks on brokerage websites and accounts are, however, not a new phenomenon. One of the earliest examples is from 2006 when hackers were able to access E*TRADE user accounts. Here, the cybercriminals placed fake buy orders on penny stocks, purchasing the stocks for far more than they were worth. The E*TRADE breach was most impactful because it resulted in a number of new encryption protocols for financial technology websites.

Another significant brokerage security breach came in late 2013 when a database of approximately 4.6 million Scottrade customers was targeted in a hack. This compromised incredibly sensitive customer data, including social security numbers and email addresses. It took investigators nearly two years to sort through what information had been released and by whom. This remains one of the largest brokerage breaches in history.

While brokerage account attacks like Robinhood’s are nothing novel to the world of online trading, the Robinhood incident raises a number of questions surrounding the strength of data security for modern technology and also the role of customer service in a data breach situation.

Slow to Respond

To allay customers’ concerns about breaches, some online brokers offer asset security in this area. Both Fidelity and Charles Schwab, for instance, have guarantee policies in place to support customers impacted by a data breach situation and reimburse any money lost due to unauthorized account activity. Robinhood, however, has struggled to meet these standards when hit with its own breach. Initially, Robinhood did not alert every user about the breach, merely those whose data was affected. Some users, however, discovered that they could neither access their accounts nor immediately contact Robinhood about the problem— the company does not have a phone-based customer service, only an online reporting system. Robinhood has since discussed setting up a way for customers to reach out via phone and pledged to reimburse impacted customers pending an investigation.

Beyond customer service processes, Robinhood also lacks some of the more sophisticated security measures seen in other brokerage firms. For example, the company does not require changes in bank account information to be verified. As a result, hackers were able to access users’ accounts and completely drain the funds by simply connecting their own bank account to the Robinhood account. The Robinhood app then allowed transfers to proceed without first verifying that the actual account holder intended for the new bank account to be connected.

Lawsuits to Come?

As criticisms mount, the risk of lawsuits resulting from the data breach rises as well. Users may be able to bring claims not only for the return of their drained funds but also regarding the privacy and security of the sensitive personal and financial information they provided to Robinhood. This will be an interesting financial story to follow, possibly, to the courts.

About the author

Dani Alexis Ryskamp, J.D.

Dani Alexis Ryskamp, J.D.

Dani Alexis Ryskamp, J.D., is a multifaceted legal professional with extensive experience in insurance defense, personal injury, and medical malpractice law. Her diverse background includes valuable internships in criminal defense, which have enriched her understanding of various legal sectors. She served as the Executive Note Editor of the Michigan Telecommunications and Technology Law Review, demonstrating a strong commitment to legal scholarship. Dani graduated with a J.D. from the University of Michigan Law School in 2007, following a summa cum laude B.A. in English from Ferris State University in 2004. She is an active member of the Michigan State Bar and the American Bar Association, reflecting her dedication to the legal profession.

Currently, Dani has channeled her legal expertise into a successful career as a freelance writer and book critic, primarily focusing on the legal and literary markets. Her writing portfolio encompasses a wide range of topics, including landmark settlements in medical negligence cases, jury awards in personal injury lawsuits, and analyses of legal trial tactics. Her work not only showcases her legal acumen but also her exceptional ability to communicate complex legal issues effectively to a broader audience. Dani's unique blend of legal practice experience and her prowess in legal writing positions her at the intersection of law and literature, allowing her to contribute meaningfully to both fields.

Dani earned her Bachelor of Arts in English from Ferris State University, where she was involved in various activities, including serving as a tutor at the Writing Center, editor in chief of the Muskegon River Review, president of the Dead Poets' Society, secretary of the Public Administration Association, and a member of the varsity synchronized skating team. She obtained her Doctor of Law from the University of Michigan Law School, participating in the Michigan Telecommunications and Technology Law Review, Wolverine Street Law Moot Court, and the Mock Trial Team. Additionally, Dani holds a Master of Arts in English Language and Literature/Letters from Western Michigan University, where she was a graduate assistant for the Hilltop Review.

PREVIOUS ARTICLE

NJ Court Finds No Merit in Dispute Over Virtual Jury Selection

NEXT ARTICLE

Purdue Pharma Pleads Guilty, Reaching $8.3 Billion Settlement

background image

Subscribe to our newsletter

Join our newsletter to stay up to date on legal news, insights and product updates from Expert Institute.

Sign up now