Robinhood Data Breach – Expert Comments

BACKGROUND:

Cybersecurity experts commented below on news that stock trading platform Robinhood has disclosed a data breach after their systems were hacked exposing personal information of approximately 7 million customers.

Experts Comments

November 09, 2021
Eyal Elyashiv
CEO
Cynamics

It hasn’t been a good year for the people at Robinhood, and news of the data breach is just the latest example. As we've seen throughout many different types of organizations in the last several years, network-based attacks have become an increasingly popular attack vector.

With the increasingly sophisticated style of attacks happening, chief security officers, CIOs, network operators and security analysts can’t get a complete and accurate picture of what’s taking place in and around their

.....Read More

It hasn’t been a good year for the people at Robinhood, and news of the data breach is just the latest example. As we've seen throughout many different types of organizations in the last several years, network-based attacks have become an increasingly popular attack vector.

With the increasingly sophisticated style of attacks happening, chief security officers, CIOs, network operators and security analysts can’t get a complete and accurate picture of what’s taking place in and around their organizations’ networks without total visibility into all traffic flowing in and out of the company network. That leaves room for threats to infiltrate, unseen and undetected.

Most organizations are still using legacy network detection and response (NDR) options, which are expensive to implement and decreasingly effective - keeping them steps behind the "bad guys." 

Fortunately, there are now next-generation NDR tools making network security even easier with solutions that can be rapidly onboarded and are more affordable. This leads to a faster time to value. Such tools don’t require agents, sensors or probes, which enables effortless scalability, no matter how complex the network is. They also provide full visibility into the NS/EW (inbound/outbound and in-organization) traffic. By learning what normal traffic looks like for your network, NDR provides real-time monitoring and alerts with higher efficiency and efficacy.

 

  Read Less
November 10, 2021
Chris Deverill
UK Director
Orange Cyberdefense

The latest cyberattack on Robinhood is a stark reminder of the critical need for organisations to adopt a layered security strategy that includes the increasingly critical aspect of defending against human error. The fact malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness. Teaching employees how to recognise phishing attempts and detect malicious activity

.....Read More

The latest cyberattack on Robinhood is a stark reminder of the critical need for organisations to adopt a layered security strategy that includes the increasingly critical aspect of defending against human error. The fact malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness. Teaching employees how to recognise phishing attempts and detect malicious activity will ultimately enable them to access the security resources needed to stop cybercriminals in their tracks, and carry out their own jobs safely and effectively. 

More than ever before, we are operating in a cyber landscape where implementing a comprehensive security strategy is no longer an opt-in or opt-out option. This latest data breach is a stark reminder of the critical importance of user awareness and education amongst organisations. By improving this, businesses can make employees their first line of defence when it comes to cybersecurity, and further protect their organisation and customers from such attacks in the future.

  Read Less
November 10, 2021
Alicia Townsend
Technology Evangelist
OneLogin

This incident highlights two important points: educating employees about possible cybersecurity threats especially social engineering threats and limiting access to customer information to the bare minimum for employees based upon their job role.

Cybersecurity education needs to occur more than once a year in the form of self-paced online training. It needs to be spread throughout the year - run drills, send out fake phishing emails, have someone place USB drives out, use these types of tactics

.....Read More

This incident highlights two important points: educating employees about possible cybersecurity threats especially social engineering threats and limiting access to customer information to the bare minimum for employees based upon their job role.

Cybersecurity education needs to occur more than once a year in the form of self-paced online training. It needs to be spread throughout the year - run drills, send out fake phishing emails, have someone place USB drives out, use these types of tactics to teach employees what they might be up against, what they should be on the watch for and how to handle different scenarios. Most people learn best through hands-on learning.

As a second form of defence, employees should be limited in what they have access to. Least Privilege Access principles should be applied everywhere, especially when it comes to customer data. This way if an attacker is able to get past the employee and trick them, what they will have access to will be limited.

  Read Less
November 09, 2021
Ron Bradley
VP
Shared Assessments

In the 1984 movie Beverly Hills Cop, a famous Eddie Murphy quote, "Look, man, I ain't fallin' for no banana in my tailpipe!."  So what does this have to do with the Robinhood hack?  This is a prime example of social engineering which has been around for decades. While technical controls help us to guard against threat actors, there will always be instances where someone will fall for a ruse.

In this particular case, the type and number of records reportedly compromised aren't particularly

.....Read More

In the 1984 movie Beverly Hills Cop, a famous Eddie Murphy quote, "Look, man, I ain't fallin' for no banana in my tailpipe!."  So what does this have to do with the Robinhood hack?  This is a prime example of social engineering which has been around for decades. While technical controls help us to guard against threat actors, there will always be instances where someone will fall for a ruse.

In this particular case, the type and number of records reportedly compromised aren't particularly alarming to me. The fact is, anyone reading this column most certainly has had their data compromised in one fashion or another. The good news is, there were no reports of passwords being stolen which would change the equation. Regardless, this is just another reminder of the importance in not reusing credentials across multiple platforms. Particularly those which involve financial transactions.

There's no substitute for implementing multi factor authentication, password managers, and good cyber hygiene to reduce the blast radius in the case where personal information is part of a data breach or even a targeted attack.

  Read Less
November 10, 2021
Ken Westin
Director, Security Strategy
Cybereason

Today, financial services companies are a prime target of cybercriminals “because that's where the money is” to quote famous bank robber Willie Sutton. With Robinhood reporting a data breach involving more than 7 million customers, it is a stark reminder that no company is immune to the risks posed by motivated hackers.

It appears a limited amount of personal information was compromised. And while the hackers have stolen email addresses and/or full names of 7 million people, a smaller group of

.....Read More

Today, financial services companies are a prime target of cybercriminals “because that's where the money is” to quote famous bank robber Willie Sutton. With Robinhood reporting a data breach involving more than 7 million customers, it is a stark reminder that no company is immune to the risks posed by motivated hackers.

It appears a limited amount of personal information was compromised. And while the hackers have stolen email addresses and/or full names of 7 million people, a smaller group of less than 500 customers had personal information stolen. Minimally impacted consumer info can still be leveraged for secondary phishing attacks to gain access to accounts, making it critically important for their customers to be vigilant while regularly checking their accounts for any signs of fraud.

The breach appears to be the result of social engineering of a single customer support employee and a reminder that humans are oftentimes the weakest link in the ecosystem. To reduce risks, companies should have multiple layers of controls in place with restrictions on who can access mission critical data. This can be challenging for financial services companies with employees working remotely from home and customer data and systems becoming more distributed across on-premises, cloud and SaaS infrastructures.

  Read Less
November 09, 2021
Alicia Townsend
Technology Evangelist
OneLogin

This incident highlights two important points: educating employees about possible cybersecurity threats especially social engineering threats and limiting access to customer information to the bare minimum for employees based upon their job role.

Cybersecurity education needs to occur more than once a year in the form of self-paced online training. It needs to be spread throughout the year - run drills, send out fake phishing emails, have someone place USB drives out, use these types of tactics

.....Read More

This incident highlights two important points: educating employees about possible cybersecurity threats especially social engineering threats and limiting access to customer information to the bare minimum for employees based upon their job role.

Cybersecurity education needs to occur more than once a year in the form of self-paced online training. It needs to be spread throughout the year - run drills, send out fake phishing emails, have someone place USB drives out, use these types of tactics to teach employees what they might be up against, what they should be on the watch for and how to handle different scenarios. Most people learn best through hands on learning.

As a second form of defense employees should be limited in what they have access to. Least Privilege Access principles should be applied everywhere, especially when it comes to customer data. This way if an attacker is able to get past the employee and trick them, what they will have access to will be limited.

  Read Less
November 10, 2021
Trevor Morgan
Product Manager
comforte AG

The stock trading platform Robinhood very directly addressed the ongoing problem of social engineering tactics. Social engineering is the use of trickery, misdirection, and other methods of subterfuge to fool a person into giving up sensitive information to a threat actor. Each one of us has been exposed (probably very recently) to social engineering tricks, whether through email appeals to click a link or launch an attachment or other forms of deceptive communication. Robinhood’s own

.....Read More

The stock trading platform Robinhood very directly addressed the ongoing problem of social engineering tactics. Social engineering is the use of trickery, misdirection, and other methods of subterfuge to fool a person into giving up sensitive information to a threat actor. Each one of us has been exposed (probably very recently) to social engineering tricks, whether through email appeals to click a link or launch an attachment or other forms of deceptive communication. Robinhood’s own organization succumbed to this “low-tech” approach to circumventing data protection methods. All it takes is one moment of inattention or gullibility, and the threat actor carrying out social engineering techniques is one step closer to the ultimate goal. 

The question Robinhood’s situation raises is, why are social engineering techniques still successful given the amount of information we all have on them? Most organizations spend ample time and funds trying to educate employees on all these techniques, but quite frankly training doesn’t address the root problem. Most employees work in a hyper-accelerated data environment in which demands for information are coming from all directions. To delay providing or sharing information can halt progress and potentially frustrate the requestor. We have all gotten used to working faster and pushing information out as fast as we can, but this is exactly the vulnerability that social engineering preys upon. Not taking the time to inspect emails, to think through a situation without haste or pressure, or to confirm a request to ensure the legitimacy of the requestor is the fatal flaw. 

Organizations can do two things. One, build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information. If business leaders can get behind initiatives that help employees take the time to do the right thing, then the culture of data privacy and data security will be that much stronger. Two, IT leaders can consider data-centric security as a means to protect sensitive data rather than the perimeters around data. Tokenization for example not only makes sensitive data elements incomprehensible, but it also preserves data format so business applications and users can still work with the data in protected states. If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised.

  Read Less
November 10, 2021
Steven Hope
CEO and co-founder
Authlogics

While most of the data extracted for the majority involved isn’t extremely sensitive or confidential, it can still be used by bad actors for social engineering or password spraying/credential stuffing attacks. Unfortunately, many individuals still make the mistake of using or re-using breached passwords, making their accounts extremely easy to access for cybercriminals. As such, it is vital that users understand to not share anything related to their passwords on their socials, or to use

.....Read More

While most of the data extracted for the majority involved isn’t extremely sensitive or confidential, it can still be used by bad actors for social engineering or password spraying/credential stuffing attacks. Unfortunately, many individuals still make the mistake of using or re-using breached passwords, making their accounts extremely easy to access for cybercriminals. As such, it is vital that users understand to not share anything related to their passwords on their socials, or to use multi-factor authentication systems to protect their vital information.

  Read Less
November 10, 2021
Erich Kron
Security Awareness Advocate
KnowBe4

Social engineering continues to play a significant role in spreading malware and ransomware as well as in breaches such as this one. The bad actors behind these attacks are often highly-skilled and very convincing when they get a potential victim on the line.

Unfortunately, technology is not good at stopping these attacks, so the best defence against these attempts is education and training. Employees should be trained to spot and report social engineering and phishing attacks using short,

.....Read More

Social engineering continues to play a significant role in spreading malware and ransomware as well as in breaches such as this one. The bad actors behind these attacks are often highly-skilled and very convincing when they get a potential victim on the line.

Unfortunately, technology is not good at stopping these attacks, so the best defence against these attempts is education and training. Employees should be trained to spot and report social engineering and phishing attacks using short, focused training modules and organisations should have a policy telling employees how to report these attacks.

  Read Less
November 10, 2021
Chris Hauk
Consumer Privacy Champion
Pixel Privacy

I have long held that education is perhaps one of the most important tools a company can use to avoid data breaches like this. Socially engineered attacks like the Robinhood breach can possibly be avoided by educating employees and executives on the methods used by the bad actors of the world.

Robinhood users can help protect themselves and their accounts by following a few simple suggestions:

  • Change your password to a unique and secure password. Enable two-factor authentication for your
.....Read More

I have long held that education is perhaps one of the most important tools a company can use to avoid data breaches like this. Socially engineered attacks like the Robinhood breach can possibly be avoided by educating employees and executives on the methods used by the bad actors of the world.

Robinhood users can help protect themselves and their accounts by following a few simple suggestions:

  • Change your password to a unique and secure password. Enable two-factor authentication for your Robinhood account, (Accounts > Security and Privacy > Two-Factor Authentication in the app.)
  • Stay alert for any phishing emails, texts, or phone calls that the bad guys may use to try and steal your login credentials. Robinhood will communicate with you via messages in the Robinhood app.
  • Report any suspected phishing scams to: reportphishing@robinhood.com
  Read Less
November 09, 2021
Hank Schless
Senior Manager, Security Solutions
Lookout

PHISHING FACTS

  • Phishing has become the most prominent attack method for threat actors. 
  • According to Lookout data, almost 50% of mobile users encounter at least one phishing attack every quarter in 2021. This is a significant increase from about 30% every quarter in 2020.

This shows how cyber criminals see mobile phishing as a highly viable attack vector, and it helps their case that they can target individuals through SMS, iMessage, email, social media apps, third party messaging platforms,

.....Read More

PHISHING FACTS

  • Phishing has become the most prominent attack method for threat actors. 
  • According to Lookout data, almost 50% of mobile users encounter at least one phishing attack every quarter in 2021. This is a significant increase from about 30% every quarter in 2020.

This shows how cyber criminals see mobile phishing as a highly viable attack vector, and it helps their case that they can target individuals through SMS, iMessage, email, social media apps, third party messaging platforms, gaming and even dating apps.

The mobile apps we use every day provide the perfect environment for malicious actors to build legitimate-looking profiles and socially engineer us into giving up sensitive information.

HOW PHISHING HAPPENS

  • Even though this particular incident targeted an enterprise organization, attackers do not discriminate. They'll use the exact same tactics on targets whether they want to swipe corporate login credentials or personal banking logins. 

This is frequently done by sharing a fake link to a collaboration platform such as Google Workspace or Microsoft Office 365 and asking the user to log in so that their credentials can be validated. 

In reality, these fake pages send your credentials straight to the attacker without you ever knowing.

If the attacker targets the victim on their smartphone, it becomes even more difficult to spot the malicious intent because of the smaller screen and simplified user interface of mobile devices.

WHAT ROBINHOOD USERS SHOULD DO

  • As a matter of caution, Robinhood users should consider doing the following:
    Changing their password on their Robinhood account. If that password is reused for any other accounts, change those as well.

Enabling two-factor authentication on their Robinhood account. This can help protect your account even if your credentials are compromised. 

Running a mobile security app. In the same way you would never run your computer without antivirus software, you should be certain to protect your smartphones and tablets with a security solution.

  Read Less
November 09, 2021
Rajiv Pimplaskar
CEO
Dispersive Holdings, Inc.

Financial services and e-commerce consumer accounts are a magnet for bad actors to exploit as they offer easy access to money as well as PII (Personally Identifiable Information) that can be later misused. Password sharing is often domain specific and an individual is more apt to share passwords between their financial accounts making lateral movement easier and facilitate a larger number of breaches.

While traditional 2FA (Two Factor Authentication) can mitigate the issue, it still doesn’t

.....Read More

Financial services and e-commerce consumer accounts are a magnet for bad actors to exploit as they offer easy access to money as well as PII (Personally Identifiable Information) that can be later misused. Password sharing is often domain specific and an individual is more apt to share passwords between their financial accounts making lateral movement easier and facilitate a larger number of breaches.

While traditional 2FA (Two Factor Authentication) can mitigate the issue, it still doesn’t solve for the MITM (Man In The Middle) attacks where phished authentication credentials can be introduced into an alternate compromised channel enabling the fraudster to take control.

BFSI (Banking, Financial Services and Insurance) companies as well as retail industry need to mandate passwordless customer authentication methods leveraging W3C WebAuthN and FIDO alliance standards. These methods establish an unphishable relation between the user and their account, making the environment immune to such data breaches and ransomware incidents. Furthermore, such solutions are easier to use and more cost effective to operate enabling great adoption.

  Read Less
November 09, 2021
Garret F. Grajek
CEO
YouAttest

Data breaches are the outcome of the constant scanning, exploring and probing that are being done on all internet resources today. Attackers use automated tools for 24/7 scanning – they then automate mapping to vulnerabilities and map exploitation tools to the discovered vulns. This is why zero-day hacks are, by nature, ahead of the patches: bad actors find the vulnerability before vendors have identified them, let alone patched them. It’s essential to use hardened platforms and adhere to

.....Read More

Data breaches are the outcome of the constant scanning, exploring and probing that are being done on all internet resources today. Attackers use automated tools for 24/7 scanning – they then automate mapping to vulnerabilities and map exploitation tools to the discovered vulns. This is why zero-day hacks are, by nature, ahead of the patches: bad actors find the vulnerability before vendors have identified them, let alone patched them. It’s essential to use hardened platforms and adhere to solid security practices like the NIST 800-53, PR.AC-6, the principle of least privilege. We must assume our sites and the credentials themselves will be hacked and ensure that each identity provides the least amount of exposure to the enterprise resources. This is best practiced through identity triggers and reviews which help an enterprise discover over-privileged identities and malicious changes to permissions of compromised identities.

  Read Less
November 09, 2021
Saryu Nayyar
CEO
Gurucul

This must be a hacker with a sense of humor, although the actual loss of data is by no means funny. It’s ironic that the trading app Robinhood was hacked, with the possible loss of information on up to seven million users in a ransomware attack. After all, the historical Robin Hood was renowned for robbing from the rich and giving to the poor. We’re guessing that those who did the hack aren’t going to give it to the poor.

It remains to be seen which group is responsible, and whether or not Robin

.....Read More

This must be a hacker with a sense of humor, although the actual loss of data is by no means funny. It’s ironic that the trading app Robinhood was hacked, with the possible loss of information on up to seven million users in a ransomware attack. After all, the historical Robin Hood was renowned for robbing from the rich and giving to the poor. We’re guessing that those who did the hack aren’t going to give it to the poor.

It remains to be seen which group is responsible, and whether or not Robinhood paid the ransom, so this remains a developing story. And while it’s not easy to hack millions of records out of a system, it seems to happen on almost a daily basis these days. Legitimate customers deserve better protection than they seem to be getting these days.

  Read Less
November 09, 2021
Trevor Morgan
Product Manager
comforte AG

The stock trading platform Robinhood very directly addressed the ongoing problem of social engineering tactics. Social engineering is the use of trickery, misdirection, and other methods of subterfuge to fool a person into giving up sensitive information to a threat actor. Each one of us has been exposed (probably very recently) to social engineering tricks, whether through email appeals to click a link or launch an attachment or other forms of deceptive communication. Robinhood’s own

.....Read More

The stock trading platform Robinhood very directly addressed the ongoing problem of social engineering tactics. Social engineering is the use of trickery, misdirection, and other methods of subterfuge to fool a person into giving up sensitive information to a threat actor. Each one of us has been exposed (probably very recently) to social engineering tricks, whether through email appeals to click a link or launch an attachment or other forms of deceptive communication. Robinhood’s own organization succumbed to this “low-tech” approach to circumventing data protection methods. All it takes is one moment of inattention or gullibility, and the threat actor carrying out social engineering techniques is one step closer to the ultimate goal.

The question Robinhood’s situation raises is, why are social engineering techniques still successful given the amount of information we all have on them? Most organizations spend ample time and funds trying to educate employees on all these techniques, but quite frankly training doesn’t address the root problem. Most employees work in a hyper-accelerated data environment in which demands for information are coming from all directions. To delay providing or sharing information can halt progress and potentially frustrate the requestor. We have all gotten used to working faster and pushing information out as fast as we can, but this is exactly the vulnerability that social engineering preys upon. Not taking the time to inspect emails, to think through a situation without haste or pressure, or to confirm a request to ensure the legitimacy of the requestor is the fatal flaw.

Organizations can do two things. One, build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information. If business leaders can get behind initiatives that help employees take the time to do the right thing, then the culture of data privacy and data security will be that much stronger. Two, IT leaders can consider data-centric security as a means to protect sensitive data rather than the perimeters around data. Tokenization for example not only makes sensitive data elements incomprehensible, but it also preserves data format so business applications and users can still work with the data in protected states. If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.