Stock trading and investing app, Robinhood, recently admitted that nearly 2,000 brokerage accounts were compromised in a data breach—two weeks after initially describing it as a limited attack. Hackers were able to access customer account information, including controlling trades and account funds. Given the sensitive information at stake and the delay in addressing the severity of the hack, the company could soon face lawsuits from impacted users and other parties.
Details of the Robinhood Hack
In early October 2020, Robinhood announced that “a limited number” of accounts had been compromised after the user’s login email address for their Robinhood accounts had been targeted elsewhere. As an internal review progressed, however, the number of compromised accounts increased. Two weeks after the initial announcement, Robinhood revised its estimate upward, to nearly 2,000 impacted accounts. The company has approximately 13 million customers. To date, this is the company’s largest security breach.
Despite the relatively small number of hacked accounts compared to the number of overall Robinhood users, the breach raises significant concerns, because many of the hacked accounts used two-factor authentication. Two-factor authentication verifies a user’s identity with two pieces of information: something they know, like a password, and something they have, like a smartphone. For instance, a common two-factor authentication setup first asks for a password. If the correct password is given, the second step sends a text message to the user’s phone with a code. If the user inputs the code correctly, the system assumes that they are who they say they are, because they both know the account holder’s password and have access to the account holder’s smartphone.
Two-factor authentication is supposed to be far more difficult for hackers to bypass because it demands access to both login information and a physical object, like a smartphone. The fact that such authentication was compromised here raises new concerns about data security measures that are considered best practices.
A History of Brokerage Data Breaches
Targeted cyberattacks on brokerage websites and accounts are, however, not a new phenomenon. One of the earliest examples is from 2006 when hackers were able to access E*TRADE user accounts. Here, the cybercriminals placed fake buy orders on penny stocks, purchasing the stocks for far more than they were worth. The E*TRADE breach was most impactful because it resulted in a number of new encryption protocols for financial technology websites.
Another significant brokerage security breach came in late 2013 when a database of approximately 4.6 million Scottrade customers was targeted in a hack. This compromised incredibly sensitive customer data, including social security numbers and email addresses. It took investigators nearly two years to sort through what information had been released and by whom. This remains one of the largest brokerage breaches in history.
While brokerage account attacks like Robinhood’s are nothing novel to the world of online trading, the Robinhood incident raises a number of questions surrounding the strength of data security for modern technology and also the role of customer service in a data breach situation.
Slow to Respond
To allay customers’ concerns about breaches, some online brokers offer asset security in this area. Both Fidelity and Charles Schwab, for instance, have guarantee policies in place to support customers impacted by a data breach situation and reimburse any money lost due to unauthorized account activity. Robinhood, however, has struggled to meet these standards when hit with its own breach. Initially, Robinhood did not alert every user about the breach, merely those whose data was affected. Some users, however, discovered that they could neither access their accounts nor immediately contact Robinhood about the problem— the company does not have a phone-based customer service, only an online reporting system. Robinhood has since discussed setting up a way for customers to reach out via phone and pledged to reimburse impacted customers pending an investigation.
Beyond customer service processes, Robinhood also lacks some of the more sophisticated security measures seen in other brokerage firms. For example, the company does not require changes in bank account information to be verified. As a result, hackers were able to access users’ accounts and completely drain the funds by simply connecting their own bank account to the Robinhood account. The Robinhood app then allowed transfers to proceed without first verifying that the actual account holder intended for the new bank account to be connected.
Lawsuits to Come?
As criticisms mount, the risk of lawsuits resulting from the data breach rises as well. Users may be able to bring claims not only for the return of their drained funds but also regarding the privacy and security of the sensitive personal and financial information they provided to Robinhood. This will be an interesting financial story to follow, possibly, to the courts.