from the whoops-a-daisy dept
When it comes to privacy and security, the weakest link continues to be of the human variety.
Trading app Robinhood last week announced in a blog post that somebody used social engineering to trick company support into handing over user login data. On November 3, said “hacker” convinced company support they were cleared to access â€œcertain customer support systems.â€ From there they nabbed the email addresses of five million users, and the full names of a different group of two million users:
“At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of peopleâ€”approximately 310 in totalâ€”additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.”
Another subset of users had far more sensitive data exposed to the intruder. 310 users had their full names, dates of birth and ZIP codes exposed to the intruder, and 10 customers had “more extensive account details revealed” — though the company doesn’t specify which details they were. The company insists that no social security numbers were revealed and that nobody suffered any financial losses related to the attack:
“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.”
By “no financial loss” Robinhood means none of their users had money stolen directly via Robinhood. That doesn’t mean those users won’t suffer financial losses elsewhere, after being bombarded with phishing emails over the next few months using the email addresses, or compromised via the release of other personal data used elsewhere.
As with most revelations of this type, the scope of the breach is probably significantly bigger than what’s currently understood. Also like most such breaches, nobody will remember it happened three months from now, and Robinhood won’t be held meaningfully accountable for its exploitable customer service. In a country where most companies have lax security and privacy standards, there’s no meaningful privacy law for the internet era, and FTC privacy enforcers that are routinely understaffed, under-funded, and simply outgunned, there’s simply not very much incentive to make security and privacy a real priority.