Robinhood Could Face Legal Action After Hack Targets 2,000 User Accounts

Stock trading and investing app, Robinhood, recently admitted that nearly 2,000 brokerage accounts were compromised in a data breach—two weeks after initially describing it as a limited attack.

Robinhood Could Face Legal Action After Hack Targets 2,000 User Accounts

Hackers were able to access customer account information, including controlling trades and account funds. Given the sensitive information at stake and the delay in addressing the severity of the hack, the company could soon face lawsuits from impacted users and other parties.

Details of the Robinhood Hack

In early October 2020, Robinhood announced that “a limited number” of accounts had been compromised after the user’s login email address for their Robinhood accounts had been targeted elsewhere. As an internal review progressed, however, the number of compromised accounts increased. Two weeks after the initial announcement, Robinhood revised its estimate upward, to nearly 2,000 impacted accounts. The company has approximately 13 million customers. To date, this is the company’s largest security breach.

Despite the relatively small number of hacked accounts compared to the number of overall Robinhood users, the breach raises significant concerns, because many of the hacked accounts used two-factor authentication. Two-factor authentication verifies a user’s identity with two pieces of information: something they know, like a password, and something they have, like a smartphone. For instance, a common two-factor authentication setup first asks for a password. If the correct password is given, the second step sends a text message to the user’s phone with a code. If the user inputs the code correctly, the system assumes that they are who they say they are, because they both know the account holder’s password and have access to the account holder’s smartphone.

Two-factor authentication is supposed to be far more difficult for hackers to bypass because it demands access to both login information and a physical object, like a smartphone. The fact that such authentication was compromised here raises new concerns about data security measures that are considered best practices.

A History of Brokerage Data Breaches

Targeted cyberattacks on brokerage websites and accounts are, however, not a new phenomenon. One of the earliest examples is from 2006 when hackers were able to access E*TRADE user accounts. Here, the cybercriminals placed fake buy orders on penny stocks, purchasing the stocks for far more than they were worth. The E*TRADE breach was most impactful because it resulted in a number of new encryption protocols for financial technology websites.

Another significant brokerage security breach came in late 2013 when a database of approximately 4.6 million Scottrade customers was targeted in a hack. This compromised incredibly sensitive customer data, including social security numbers and email addresses. It took investigators nearly two years to sort through what information had been released and by whom. This remains one of the largest brokerage breaches in history.

While brokerage account attacks like Robinhood’s are nothing novel to the world of online trading, the Robinhood incident raises a number of questions surrounding the strength of data security for modern technology and also the role of customer service in a data breach situation.

Slow to Respond

To allay customers’ concerns about breaches, some online brokers offer asset security in this area. Both Fidelity and Charles Schwab, for instance, have guarantee policies in place to support customers impacted by a data breach situation and reimburse any money lost due to unauthorized account activity. Robinhood, however, has struggled to meet these standards when hit with its own breach. Initially, Robinhood did not alert every user about the breach, merely those whose data was affected. Some users, however, discovered that they could neither access their accounts nor immediately contact Robinhood about the problem— the company does not have a phone-based customer service, only an online reporting system. Robinhood has since discussed setting up a way for customers to reach out via phone and pledged to reimburse impacted customers pending an investigation.

Beyond customer service processes, Robinhood also lacks some of the more sophisticated security measures seen in other brokerage firms. For example, the company does not require changes in bank account information to be verified. As a result, hackers were able to access users’ accounts and completely drain the funds by simply connecting their own bank account to the Robinhood account. The Robinhood app then allowed transfers to proceed without first verifying that the actual account holder intended for the new bank account to be connected.

Lawsuits to Come?

As criticisms mount, the risk of lawsuits resulting from the data breach rises as well. Users may be able to bring claims not only for the return of their drained funds but also regarding the privacy and security of the sensitive personal and financial information they provided to Robinhood. This will be an interesting financial story to follow, possibly, to the courts.

About the author

Dani Alexis Ryskamp, J.D.

Dani Alexis Ryskamp, J.D.

Dani Alexis Ryskamp, J.D., is a multifaceted legal professional with a background in insurance defense, personal injury, and medical malpractice law. She has garnered valuable experience through internships in criminal defense, enhancing her understanding of various legal sectors.

A key part of her legal journey includes serving as the Executive Note Editor of the Michigan Telecommunications and Technology Law Review. Dani graduated with a J.D. from the University of Michigan Law School in 2007, after completing her B.A. in English, summa cum laude, in 2004. She is a member of the Michigan State Bar and the American Bar Association, reflecting her deep commitment to the legal profession.

Currently, Dani Alexis has channeled her legal expertise into a successful career as a freelance writer and book critic, primarily focusing on the legal and literary markets. Her writing portfolio includes articles on diverse topics such as landmark settlements in medical negligence cases, jury awards in personal injury lawsuits, and analyses of legal trial tactics. Her work not only showcases her legal acumen but also her ability to communicate complex legal issues effectively to a wider audience. Dani's blend of legal practice experience and her prowess in legal writing positions her uniquely in the intersection of law and literature.

background image

Subscribe to our newsletter

Join our newsletter to stay up to date on legal news, insights and product updates from Expert Institute.