Trading platform Robinhood has announced that more than seven million of its clients have been affected by a data breach. "Based on our investigation, the attack was contained and we believe that no social security number, bank account number or debit card number was disclosed and that there was no financial loss to any customers as a result of the incident," Robinhood revealed in its statement. own. The platform, which gained notoriety during the GameStop saga, explained that the attack was orchestrated by social engineering an isolated customer support manager over the phone to gain access to certain customer support systems. With this access, the attacker was able to extract a list of email addresses of around five million people and the full names of a separate group of two million people.
Limit the damage
A smaller group of around 310 users lost personally identifiable information (PII), including their names, dates of birth and zip codes, while "more detailed account details" for ten other customers were revealed. Robinhood says that she was able to contain the incident and is continuing to investigate the incident with the help of cybersecurity firm Mandiant. Robinhood also shared that the attackers had approached him seeking "extortion payment". However, the platform says that he instead informed the police, although he did not explicitly mention that he had not contacted the perpetrators.
Weakest link
Cybersecurity experts TechRadar Pro spoke to said the incident was a reminder that humans are often the weakest link in the ecosystem. “To reduce risk, companies must implement multiple layers of control with restrictions on who can access critical data. This can prove difficult for financial services companies whose employees work remotely from home and customer data and systems are increasingly distributed across on-premises, cloud and SaaS infrastructure,” said Ken Westin, director of Cybereason's security strategy. Alicia Townsend, technology evangelist for OneLogin identity management experts, agrees, adding, “This incident highlights two important points: educating employees about potential cybersecurity threats, especially social engineering threats, and limiting access to customer information to a minimum for employees based on their role. "
Overcome social engineering attacks
However, Trevor Morgan, product manager at comforte AG, a data security specialist, says the training doesn't solve the fundamental problem that makes social engineering attacks like this easy. Morgan says that most employees work in a hyper-accelerated data environment, where any delay in providing or sharing information can stall progress. He believes that this is exactly the vulnerability that social engineering preys on. To root out the problem, Morgan suggests that companies create an organizational culture that values data privacy and encourages employees to slow down and consider all the ramifications before acting on requests for sensitive information. Additionally, he suggests that IT managers consider data-centric security as a way to protect the sensitive data itself rather than the perimeters around the data. “Tokenization, for example, not only makes sensitive data incomprehensible, but also preserves the format of the data so that business applications and users can always work with data in protected states. If you never check out data, there's a good chance that even if it falls into the wrong hands, sensitive information won't be compromised,” Morgan explains.