Trading app Robinhood has revealed a significant data breach affecting the personal information of an estimated seven million customers.
The firm claimed an unauthorized third party could access the data on November 3, after targeting an employee.
“The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people and full names for a different group of approximately two million people,” a statement explained.
“We also believe that for a more limited number of people – approximately 310 in total – additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately ten customers having more extensive account details revealed.”
However, Robinhood said that no Social Security, bank account or debit card numbers were exposed in the breach, and it does not believe that any customers were financially impacted.
That said, the threat actor has purportedly demanded a ransom payment in return for the stolen data, so the information that has been taken could be monetized on the cybercrime underground in follow-on fraud attempts.
“As a safety-first company, we owe it to our customers to be transparent and act with integrity,” said Robinhood CSO Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
The bare-bones stock trading app was fined a record $70m by the US Financial Industry Regulatory Authority (FINRA) over the summer for inflicting “widespread and significant harm” on customers. It was claimed the firm misled those customers about their investments, leaving them out of pocket.