By Jeff Domansky
The same day US DOJ officials held a news conference high-fiving their success in charging two international ransomware hackers, online discount stockbroker Robinhood revealed intruders breached data of millions of customers.
Bloomberg reported personal data of one-third of Robinhood’s customers, about seven million accounts, was compromised last week by hackers demanding payment. Intruders stole the email addresses of five million clients and full names for another two million more. In addition, names, birth dates, and ZIP codes of another 310 people were stolen along with more data for another group of ten clients.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood Chief Security Officer Caleb Sima in a brief company blog post about the incident. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
The company claims no customers incurred financial losses and no Social Security, bank account, or debit card information was exposed in the Nov 3 attack. However, a Robinhood spokesperson refused to disclose if payment was made to the cybercriminals.
Hackers reportedly impersonated an employee through a customer service rep to gain access to support systems. Robinhood said it discovered the breach, informed law enforcement, and hired security firm Mandiant to investigate.
Financial services a magnet for bad actors
Last October, hackers compromised another 2,000 Robinhood accounts. Unfortunately, it seems that the company’s mantra and a memo about “Safety First” didn’t reach the customer-service team.
“Financial services and e-commerce consumer accounts are a magnet for bad actors to exploit as they offer easy access to money as well as PII (Personally Identifiable Information) that can be later misused,” said Rajiv Pimplaskar, CRO of security firm Veridium.
“While traditional 2FA (Two Factor Authentication) can mitigate the issue, it still doesn’t solve for the MITM (Man In The Middle) attacks where phished authentication credentials can be introduced into an alternate compromised channel enabling the fraudster to take control,” Pimplaskar explained.
Security precautions needed experts say
According to Pimplaskar, banking, financial services, insurance companies, and the retail industry need to mandate passwordless customer authentication methods leveraging W3C WebAuthN and FIDO alliance standards.
“These methods establish an unphishable relation between the user and their account, making the environment immune to similar data breaches and ransomware incidents.” In addition, he said these security precautions are easier to use and more cost-effective to operate, which is why they are gaining in popularity with many businesses.
“The Robinhood data breach highlights the need for a prevention-first approach across industries to minimize the risk and scale of an attack before it cripples an organization. With cybercriminals targeting financial service organizations with the hope to yield a profit, humans and technology must work hand-in-hand to stay one step ahead to secure and protect critical data,” said John McClurg, Senior Vice President, and CISO at BlackBerry.
McClurg stressed implementing prevention-first AI-driven technology enables organizations to stop data breaches and ransomware attacks before they occur. “Although the breach was reportedly contained, leaked customer information such as full names, dates of birth, and ZIP codes can be used to facilitate attacks later, like targeted phishing emails. By halting the cyber attackers in the exploitation stage, organizations can increase resilience and ensure that customers’ and employees’ data are effectively secure,” McClurg added.
The latest attack on Robinhood and other financial institutions, government organizations, infrastructure, and companies reminds us to pay particular attention to prevention-first strategies. Ironically, the vulnerabilities continue to include humans despite our best efforts to implement technology, AI, and other cybersecurity defenses.
Sadly, despite the hopes and wishes of the fintech and financial industries, we’re never more than one step away from the next data breach, ransomware attack, or cybersecurity incident.