Robinhood Can’t Seem to Keep User Data Safe: Data Breach Exposes the Personal Data of Millions of Users

Danielle McNamara

Associate Editor

Loyola University Chicago School of Law, JD 2023

On November 3, 2021, Robinhood Markets Inc., a popular online stock trading app, reported that an intruder gained access to its systems, obtaining the personal information of millions of its users. With its sudden rise to popularity and contempt following the GameStop stock volatility, and an ongoing class action lawsuit concerning a previous breach, Robinhood is in hot water with both customers and regulatory agencies alike.

What is Robinhood?

Founded in 2013, Robinhood was created by Vlad Tenev and Baiju Bhatt in an attempt to make investing easier for the “ordinary person”. To accomplish this, the creators made a user-friendly app that made trading commission-free for its users.  These features made it a popular choice for both new and veteran investors. 

Robinhood creates revenue in various ways including investing the cash its customers have in their user accounts. However, the majority of Robinhood’s revenue comes from trading volume. Thus, the more users, the more money the company will make. As of November 2021, Robinhood has approximately 22.5 million users and $95 billion in assets under custody.

Robinhood and the 2020 GameStop stock trend

Amidst the notorious 2020 GameStop stock-craze, stock trading and investing became popular amongst many people who had no previous knowledge or experience within the sector. As such, Robinhood became the go-to investment device because of its commission-free trading. This turned the heads of already wary regulators, as Robinhood began gaining countless new users, many of whom were new to investing.

However, in January of 2021, Robinhood restricted users’ ability to trade the GameStop stock and other popular stocks at the time. This resulted in backlash from users questioning the motives of a company founded on the idea of promoting the democratization of investment, accusing the app of market manipulation.

Subsequently, Robinhood became the target of more than fifty private lawsuits in connection with the restrictions and other issues. In addition, policymakers began scrutinizing the core practices utilized in Robinhood’s business model, particularly payment-for-order-flow (PFOF), indicating that they raise conflict of interest and competition concerns. PFOF involves brokers routing retail orders to wholesale brokers in exchange for payment. These PFOF and other transactions accounted for approximately seventy-five percent of Robinhood’s nearly $1 billion revenues in 2020.

SEC chair Gary Gensler has since asked his staff to recommend new regulations regarding PFOF transactions and other avenues used by Robinhood. Amongst a slew of others, these recommendations include heightened scrutiny of PFOF transactions and boosting investment funds’ disclosures of short sales and swap positions that are linked to stocks. However, given its vast customer base, industry veterans expect Robinhood to survive the SEC review of PFOF even if new regulations curtailed its revenue from this business model.

Previous data breach issues

The November 3 data breach is not the first time Robinhood has been under fire for a data breach. In the summer and fall of 2020, hackers gained access to about 2,000 customer accounts. The hackers then “looted funds” and obtained personal and financial information.

Robinhood now faces a class action lawsuit for its failure to maintain industry-standard security measures that could have prevented the breach. Although in May the U.S. Magistrate Judge Susan Van Keulen eliminated numerous claims from the suit, Robinhood’s various attempts to dismiss the suit have ultimately been unsuccessful. The judge ultimately held that the plaintiffs had adequately alleged claims for negligence and violations of the California Consumer Privacy Act.

What happened?

In a statement released by Robinhood, the company explained that the hacker gained access to a customer support employee’s phone and obtained access to customer support systems. Robinhood stated that they “believe” no Social Security numbers, bank account numbers, or debit card numbers were exposed in the breach and there has been no financial loss to any customers resulting from the incident.

However, approximately 5 million customers’ email addresses were obtained by the hackers. Of these 5 million, nearly 2 million customers’ full names were exposed. Furthermore, over 300 people had information including their names, birthdays and ZIP codes stolen and ten people had “more extensive account details revealed.” Robinhood assured users that despite the demand of an extortion payment, the intrusion had been contained and law enforcement had been notified.  

Potential implications

Despite its promise of being a “Safety First” company, Robinhood’s track record shows otherwise. Although Robinhood assures that no financial information was accessed through the November 3 breach, because this is the second time a breach has occurred, users may begin to second-guess the safety of the app.

While the majority of data acquired by the hackers does not appear to pose a serious issue for users’ overall safety, Allison Nixon the chief research officer at Unit 221B LLC, a cybersecurity investigations company, warns that this data is not useless to hackers. Nixon indicates that those customers who had more information than just a name or email address are at a much greater risk of being the targets of attacks like SIM swapping, which involve hackers taking over victims’ phone-numbers to break into their online accounts.

Given its rise to notoriety, Robinhood may also be struggling with the sheer number of users it currently has. Robinhood has gained millions of new users since early 2020 and has more than tripled the number of customer-support agents on staff. However, given that this attack stems from a hacker’s ability to break into the customer-support data, more drastic measures appear to be a necessity in order to protect its growing user-base from another data breach.