{"id":4306,"date":"2021-11-24T10:30:48","date_gmt":"2021-11-24T16:30:48","guid":{"rendered":"https:\/\/blogs.luc.edu\/compliance\/?p=4306"},"modified":"2021-11-24T10:30:48","modified_gmt":"2021-11-24T16:30:48","slug":"robinhood-cant-seem-to-keep-user-data-safe-data-breach-exposes-the-personal-data-of-millions-of-users","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=4306","title":{"rendered":"Robinhood Can\u2019t Seem to Keep User Data Safe: Data Breach Exposes the Personal Data of Millions of Users"},"content":{"rendered":"

Danielle McNamara<\/em><\/span><\/p>\n

Associate Editor<\/em><\/span><\/p>\n

Loyola University Chicago School of Law, JD 2023 <\/em><\/span><\/p>\n

On November 3, 2021, Robinhood Markets Inc., a popular online stock trading app, reported that an intruder gained access<\/a> to its systems, obtaining the personal information of millions of its users. With its sudden rise to popularity and contempt following the GameStop stock volatility, and an ongoing class action lawsuit concerning a previous breach, Robinhood is in hot water with both customers and regulatory agencies alike.<\/span><\/p>\n

<\/p>\n

What is Robinhood? <\/strong><\/span><\/p>\n

Founded in 2013, Robinhood was created<\/a> by Vlad Tenev and Baiju Bhatt in an attempt to make investing easier for the \u201cordinary person\u201d. To accomplish this, the creators made a user-friendly app that made trading commission-free for its users.\u00a0 These features made it a popular choice for both new and veteran investors.\u00a0<\/span><\/p>\n

Robinhood creates revenue in various ways including investing the cash its customers have in their user accounts. However, the majority of Robinhood\u2019s revenue<\/a> comes from trading volume. Thus, the more users, the more money the company will make. As of November 2021, Robinhood has approximately 22.5 million users and $95 billion in assets under custody<\/a>.<\/span><\/p>\n

Robinhood and the 2020 GameStop stock trend<\/strong><\/span><\/p>\n

Amidst the notorious 2020 GameStop stock-craze, stock trading and investing became popular amongst many people who had no previous knowledge or experience within the sector. As such, Robinhood became the go-to investment device because of its commission-free trading. This turned the heads of already wary regulators<\/a>, as Robinhood began gaining countless new users, many of whom were new to investing.<\/span><\/p>\n

However, in January of 2021, Robinhood restricted users\u2019 ability to trade the GameStop stock and other popular stocks at the time. This resulted in backlash<\/a> from users questioning the motives of a company founded on the idea of promoting the democratization of investment, accusing the app of market manipulation.<\/span><\/p>\n

Subsequently, Robinhood became the target of more than fifty private lawsuits in connection with the restrictions and other issues. In addition, policymakers began scrutinizing<\/a> the core practices utilized in Robinhood\u2019s business model, particularly payment-for-order-flow (PFOF), indicating that they raise conflict of interest and competition concerns. PFOF involves brokers routing retail orders to wholesale brokers in exchange for payment. These PFOF and other transactions accounted for approximately seventy-five percent of Robinhood\u2019s nearly $1 billion revenues in 2020.<\/span><\/p>\n

SEC chair Gary Gensler has since asked his staff to recommend new regulations regarding PFOF transactions and other avenues used by Robinhood. Amongst a slew of others, these recommendations<\/a> include heightened scrutiny of PFOF transactions and boosting investment funds\u2019 disclosures of short sales and swap positions that are linked to stocks. However, given its vast customer base, industry veterans expect Robinhood to survive<\/a> the SEC review of PFOF even if new regulations curtailed its revenue from this business model.<\/span><\/p>\n

Previous data breach issues <\/strong><\/span><\/p>\n

The November 3 data breach is not the first time Robinhood has been under fire for a data breach. In the summer and fall of 2020, hackers gained access<\/a> to about 2,000 customer accounts. The hackers then \u201clooted funds\u201d and obtained personal and financial information.<\/span><\/p>\n

Robinhood now faces a class action lawsuit<\/a> for its failure to maintain industry-standard security measures that could have prevented the breach. Although in May the U.S. Magistrate Judge Susan Van Keulen eliminated numerous claims from the suit, Robinhood\u2019s various attempts to dismiss the suit have ultimately been unsuccessful. The judge ultimately held that the plaintiffs had adequately alleged claims for negligence and violations of the California Consumer Privacy Act.<\/span><\/p>\n

What happened? <\/strong><\/span><\/p>\n

In a statement<\/a> released by Robinhood, the company explained that the hacker gained access to a customer support employee\u2019s phone and obtained access to customer support systems. Robinhood stated that they \u201cbelieve\u201d no Social Security numbers, bank account numbers, or debit card numbers were exposed in the breach and there has been no financial loss to any customers resulting from the incident.<\/span><\/p>\n

However, approximately 5 million customers\u2019 email addresses were obtained by the hackers. Of these 5 million, nearly 2 million customers\u2019 full names were exposed. Furthermore, over 300 people had information including their names, birthdays and ZIP codes stolen and ten people had \u201cmore extensive account details revealed.\u201d Robinhood assured users that despite the demand of an extortion payment, the intrusion had been contained and law enforcement had been notified. \u00a0<\/span><\/p>\n

Potential implications<\/strong><\/span><\/p>\n

Despite its promise of being a \u201cSafety First\u201d company, Robinhood\u2019s track record shows otherwise. Although Robinhood assures that no financial information was accessed through the November 3 breach, because this is the second time a breach has occurred, users may begin to second-guess the safety of the app.<\/span><\/p>\n

While the majority of data acquired by the hackers does not appear to pose a serious issue<\/a> for users\u2019 overall safety, Allison Nixon the chief research officer at Unit 221B LLC, a cybersecurity investigations company, warns that this data is not useless to hackers. Nixon indicates that those customers who had more information than just a name or email address are at a much greater risk of being the targets of attacks like SIM swapping, which involve hackers taking over victims\u2019 phone-numbers to break into their online accounts.<\/span><\/p>\n

Given its rise to notoriety, Robinhood may also be struggling with the sheer number of users it currently has. Robinhood has gained millions of new users since early 2020 and has more than tripled<\/a> the number of customer-support agents on staff. However, given that this attack stems from a hacker\u2019s ability to break into the customer-support data, more drastic measures appear to be a necessity in order to protect its growing user-base from another data breach.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

On November 3, 2021, Robinhood Markets Inc., a popular online stock trading app, reported that an intruder gained access to its systems, obtaining the personal information of millions of its users. With its sudden rise to popularity and contempt following the GameStop stock volatility, and an ongoing class action lawsuit concerning a previous breach, Robinhood is in hot water with both customers and regulatory agencies alike.<\/p>\n","protected":false},"author":97,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1205,1623],"class_list":["post-4306","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-journal-of-regulatory-compliance","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/4306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/97"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4306"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/4306\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}