On November 8, 2021, Robinhood announced a data security incident, stating that on November 3rd, “an unauthorized third party obtained access to a limited amount of personal information for a portion of customers.” This personal information included e-mails for approximately five million people, full names for approximately two million people, and some Robinhood users may have seen additional personal information accessed. Robinhood is reaching out to affected individuals directly.
With its promise of “investing for everyone”, Robinhood is a popular platform for investors, boasting 18 million accounts with $80 billion in assets in July 2021. Seven million people have been impacted by the recent data security incident, and your employees may be among them.
As a compliance professional, what can you do to ensure an outside data security incident does not become a cybersecurity threat to your organization?
First, advise affected employees to reset their passwords.
Resetting passwords for impacted accounts, such as personal emails, corporate emails, and bank accounts, is critical after any potential data breach. Employees with accounts at Robinhood may want to take additional steps to protect their identities by freezing their credit report or engaging a credit-monitoring service.
Watch for updates from the impacted organization.
Robinhood is reaching out to individuals affected by the data security incident and may advise on recommended next steps.
Consider potential impacts to all third-party vendors and systems.
ComplySci was not impacted by the recent Robinhood data security incident, but other vendors may have been. In the event of any data breach, it’s worth checking with your third-party vendors to find out about any potential impacts to them. Know your vendors’ processes for monitoring their systems and ensuring their data is protected.
Review your firm’s policies and practices and retrain employees regularly.
The Robinhood breach occurred when an “unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.” Cyber attacks are becoming increasingly more sophisticated. Ensuring your policies and practices are up to date and your employees are sufficiently trained on these processes is a key part of maintaining security within your firm.
Mitigating risk, including cybersecurity risks, is critical to compliance teams, and continued vigilance is key. To see more steps your firm can take to avoid common cybersecurity pitfalls, see our recent blog post Tips & Tricks for Chief Compliance Officers: Cybersecurity.