How Robinhood fell victim to a vishing raid


The hack – the details of which haven’t been previously reported – raises new questions about Robinhood’s efforts to ensure that its millions of customers get the support and help they need to invest safely.

NEW YORK: The call was coming from inside the company.

Or so it seemed when the mobile phone of a customer-service representative for Robinhood Markets Inc lit up on the evening of Nov 3. More than an hour passed – on and on the conversation ran, as the caller reeled in the hapless employee.

By the time it was over, that one Robinhood rep had unwittingly handed over keys to the personal information of about seven million customers, in what’s now believed to be one of the biggest retail brokerage cyber-breaches of all time, by number of accounts affected.

Robinhood didn’t learn of the lapse until the rep got home and told a relative about the strange call – and was promptly advised to escalate it, according to a person familiar with the matter.

Only then did the employee inform the company, whose free trading app caught fire with young people buying meme stocks, options and crypto during the pandemic, at times with devastating results.

Robinhood declined to comment on the agent’s performance. It said separately that, to its knowledge, no Social Security numbers or data about debit cards or bank accounts were compromised. Nor did customers incur financial losses, according to the firm.

Such assurances aside, the hack – the details of which haven’t been previously reported – raises new questions about Robinhood’s efforts to ensure that its millions of customers get the support and help they need to invest safely.

The breach was a stunning example of what’s known as a vishing (voice phishing) attack, in which a mark is talked into revealing crucial bits of information – the sort of lapse that brokerages work hard to prevent through training.

Some Robinhood insiders have been warning that the company’s belated push to improve customer service has failed to keep pace with its breakneck growth.

In late 2019, there were roughly 370 support staff, more than half of them outsourced, to work with five million customers. Today, there are about 1,000 reps to deal with 22.4 million customers, the majority of them new to trading.

Two former Robinhood support staffers said that at times the team’s focus on growth backfired and led to internal clashes.

In one example, a group of managers expressed trepidation over the company’s decision to move to 24/7 phone support for all customer queries, fearing the team wasn’t ready, according to one of the people, who asked not to be identified because because the debate was not public.

Robinhood also tested an instant message-based customer service system in early 2021 but dismissed that approach as too complicated, two people said.

A Robinhood spokesperson said the company is “proud to offer 24/7 phone support, which is the best way to serve our customers and which we rolled out thoughtfully and methodically over the course of nearly a year.”

This month’s debacle is just the latest in a series of customer service headaches for Robinhood, including a separate hacking episode last year and a major system outage in March 2020.

“Robinhood has this situation where they’re always in a crisis six-to-18 months ahead of where their operations are,” said Mazi Bahadori, chief compliance officer at Altruist Corp, an investment platform for financial advisers. “This hack is an example of it.”

The hackers walked off with thousands of phone numbers and millions of email address – details criminals can use to induce people via phishing emails to reveal still more personal information, such as passwords and credit-card numbers. Also among the stolen valuables: photo ID information for fewer than 10 customers, according to the firm.

Other technology companies have fallen victim to vishing attacks. In July 2020, for instance, hackers manipulated several popular Twitter accounts, including those of Joe Biden, Elon Musk and Jeff Bezos, and used information to target employees with access to account-support tools.

Financial firms should stay on alert for vulnerabilities in every department, said Joanna Fields, founding principal at consultancy Aplomb Strategies. “The more people are aware that it could happen anywhere in the organisation, the better,” she said. “There are very sophisticated actors looking for information.” ― Bloomberg

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 46
Cxense type: free
User access status: 3
Join our Telegram channel to get our Evening Alerts and breaking news highlights

RobinhoodMarkets Inc , vishing raid , hack ,

   

Next In Business News

Nextgreen inks MoU with Kelantan govt for projects worth RM2.23bil
Lagenda Properties in 50:50 JV with Inta Bina
Jiankun undertakes RM1.2bil GDV redevelopment project in Kampong Bharu
MoF confident customs dept can achieve va programme target
IGB Reit Q4 net profit rises to RM73.59mil
Khairussaleh resigns as RHB group MD/CEO
AWC secures RM7.12mil contract from KTMB
Hong Seng's healthcare arm HS Bio acquires two industrial properties
Bursa Malaysia rebounds on bargain hunting
AirAsia X targets Asia cargo market in deal with logistics firm

Others Also Read


Vouchers