Robinhood Data Security Incident: A Banana In The Tailpipe

Robinhood Markets, Inc. (NASDAQ: HOOD), is an American financial services company known for pioneering commission-free trades of stocks, exchange-traded funds, and cryptocurrencies via a mobile app. In a sense, Robinhood turned Wall Street into All Street by gamifying trading, bringing a fee-free stock exchange onto a millennial’s or reddetir’s iPhone near you.

For Robinhood, it has been a busy year in the media. In January, Robinhood famously halted GameStop trading, leading to market volatility and federal and state level investigations. Robinhood fell a little flat with their IPO. Barron’s described the IPO in four curt words in their article title: “Isn’t the Year’s Worst.” Yesterday, mass media amplified Robinhood’s announcement on their blog that on November 3 they fell prey to a data security incident.

Robinhood’s blog states that “an unauthorized third party obtained access to a limited amount of personal information for a portion of our customers.” The offending party “socially engineered a customer support employee by phone and obtained access to certain customer support systems.”

Commendably, Robinhood Chief Security Officer Caleb Sima announced that “we owe it to our customers to be transparent and act with integrity…Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”

The data security incident involved the email addresses of more than 5 million customers, the full names of 2 million other customers, and other data from a much smaller group of customers.

In the 1984 movie Beverly Hills Cop, Eddie Murphy says, “Look, man, I ain’t fallin’ for no banana in my tailpipe!” Eddie Murphy’s character uses the banana trick to foil a group of bumbling police officers. A banana in the tailpipe could give the perpetrator of the ruse time to escape while having a good laugh at the victim’s expense as their car sputters and fails to start….

Like the tried-and-true “banana in the tailpipe” prank, the Robinhood attack is a prime example of social engineering which has been around for decades. While technical controls help us to guard against threat actors, there will always be instances where someone (in this case, the customer service representative) will fall for a ruse.

In the Robinhood data security incident, the type and number of records reportedly compromised aren’t particularly alarming to me. The fact is that anyone reading this blogpost most certainly has had their data compromised in one fashion or another.

The good news is that there were no reports of passwords being stolen which would change the equation. Regardless, this is just another reminder of the importance in not reusing credentials across multiple platforms. Particularly those which involve financial transactions.

There’s no substitute for implementing multi factor authentication, password managers, and good cyber hygiene to reduce the blast radius in the case where personal information is part of a data breach or even a targeted attack.

The resources below can direct your approach to mitigating data security risks in your organization:


Blog Footer Cybersecurity