Robinhood Data Security Incident: A Banana In The Tailpipe

Robinhood Data Security Incident: A Banana In The Tailpipe

Nov 10, 2021 | Data & Cybersecurity, Identity Protection

Robinhood Data Security Incident: A Banana In The Tailpipe

Robinhood Markets, Inc. (NASDAQ: HOOD), is an American financial services company known for pioneering commission-free trades of stocks, exchange-traded funds and cryptocurrencies via a mobile app. In a sense, Robinhood turned Wall Street into All Street by gamifying trading, bringing a fee-free stock exchange onto a millennial’s or reddetir’s iPhone near you.

For Robinhood, it has been a busy year in the media. In January, Robinhood famously halted GameStop trading, leading to market volatility and federal and state level investigations. Robinhood fell a little flat with their IPO. Barron’s described the IPO in four curt words in their article title: “Isn’t the Year’s Worst.” Yesterday, mass media amplified Robinhood’s announcement on their blog that on November 3 they fell prey to a data security incident.

Robinhood’s blog states that “an unauthorized third party obtained access to a limited amount of personal information for a portion of our customers.” The offending party “socially engineered a customer support employee by phone and obtained access to certain customer support systems.”

Commendably, Robinhood Chief Security Officer Caleb Sima announced that “we owe it to our customers to be transparent and act with integrity…Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”

The data security incident involved the email addresses of more than 5 million customers, the full names of 2 million other customers and other data from a much smaller group of customers.

In the 1984 movie Beverly Hills Cop, Eddie Murphy says, “Look, man, I ain’t fallin’ for no banana in my tailpipe!” Eddie Murphy’s character uses the banana trick to foil a group of bumbling police officers. A banana in the tailpipe could give the perpetrator of the ruse time to escape while having a good laugh at the victim’s expense as their car sputters and fails to start….

Like the tried-and-true “banana in the tailpipe” prank, the Robinhood attack is a prime example of social engineering which has been around for decades. While technical controls help us to guard against threat actors, there will always be instances where someone (in this case, the customer service representative) will fall for a ruse.

In the Robinhood data security incident, the type and number of records reportedly compromised aren’t particularly alarming to me. The fact is that anyone reading this blogpost most certainly has had their data compromised in one fashion or another.

The good news is that there were no reports of passwords being stolen which would change the equation. Regardless, this is just another reminder of the importance in not reusing credentials across multiple platforms. Particularly those which involve financial transactions.

There’s no substitute for implementing multi factor authentication, password managers, and good cyber hygiene to reduce the blast radius in the case where personal information is part of a data breach or even a targeted attack.

The resources below can direct your approach to mitigating data security risks in your organization:

Ron Bradley

Ron Bradley has been involved with Shared Assessments in some capacity for over 15 years. Notably, Bradley wrote some of the very first questions for the Standardized Information Gathering (SIG) Questionnaire. In this course of time, his hair has transitioned from an afro to his current distinguished style.

With a depth of experience building TPRM programs in financial services (Bank of America) and manufacturing (Reynolds, Trane Technologies), Ron understands how cultures and organizations drive the supply chain and third party process. As Vice President, Ron strives to use his extensive knowledge of Third Party Risk Management to help organizations build programs that realize the full potential of the Shared Assessments toolkit.

Ron’s experience in Europe, Asia and South America has allowed him to assess different vendor environments and to build Third Party Risk Management operations from the ground up across the world. Ron is an expert in risk in the manufacturing environment, Operational Technology, and Operational IoT.

Ron lives in Charlotte, North Carolina, and takes frequent trips to Scottsdale, Arizona. He loves golf, travel, and his Big Green Egg, which brings the people around Ron excessive quantities of love, joy, and happiness. Ron’s 24-year-old daughter and his famed sister Kathleen Bradley (first black game hostess!) bring him great delight.

Connect with Ron on LinkedIn or by email.


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics