We’ve warned before that in the fight against cybercrime, a company’s employees can either be the best defense, or the worst weakness. Online trading platform Robinhood Markets Inc. learned the hard way the importance of properly trained employees. Earlier this week, Robinhood said that personal information for more than 7 million customers was accessed during a data breach on November 3.
In a company statement, Robinhood explained the breach occurred during a customer service telephone call where the hacker “social engineered” the customer service representative and was able to obtain the email addresses of about 5 million users, as well as full names for a separate group of about 2 million individuals. The hacker also accessed additional personal information, including names, dates of birth, and zip codes of about 310 people. Robinhood also stated that for about 10 customers, “more extensive account details” were revealed, although they did not provide any further information.
Robinhood does not believe that any social security, bank account, or debit-card numbers were exposed and that no customers suffered a financial loss. After Robinhood contained the attack, the hacker demanded an extortion payment.
While this breach is certainly novel because it happened over the telephone, it highlights the need for a workforce proficient in cybersecurity. Following a separate breach in 2020, where customers complained that there was no available customer service, Robinhood more than tripled the size of its customer service staff. That is a significant increase in employees and, consequently, a significant increase in potential vulnerabilities.
We don’t know what Robinhood’s cybersecurity training program looks like and it’s certainly true that even the most sophisticated workforce can fall victim to a hack, but this breach reinforces the need to not only help employees identify attacks but also teach employees what to do if an attack is occurring.
Have questions about your own cybersecurity awareness training? Nixon Peabody’s Data Privacy and Cybersecurity team is here to help.