Trading app Robinhood has this week acknowledged that it has been hit by a ransomware attack, which has exposed the details of millions of users.
In a statement on the company's site, it stated that the data breach was due to a ransomware attack, and it was currently complying with advice from law enforcement.
Details of the Robinhood Ransomware Attack
In a statement posted on Robinhood's site, the company stated that it experienced a security incident on the 3rd of November, when a third party was able to access data records of its customers.
The attack was carried out, according to Robinhood, by the third party ‘socially engineering a customer support employee by phone' and gaining access to customer support systems.
In its statement, Robinhood is quick to point out that no financial data, including bank account or debit card numbers were taken. It also states that no social security numbers were compromised, and as such there has been no financial loss to customers.
However, it did confirm that an email list of five million users was taken, as well as full names for a further two million. Whilst this isn't as serious as financial theft, these details can still be utlized by fraudsters to generate convincing phishing scams.
In addition, a further 310 users have had more extensive information collected, including address and date of birth details. Robinhood is reaching out to these people individually.
Robinhood Refusing to Comply with Ransomware Demands
After the attack, Robinhood received a demand for payment for the return of the data. This is the modus operandi of ransomware hackers, and it can be a lucrative one, with many companies handing over payment (usually in the form of untraceable cryptocurrency), rather than risk having sensitive customer or business data exposed.
However, in Robinhood's case, it appears to be refusing to yield to the demand, instead reaching out to law enforcement and security experts instead.
“After we contained the intrusion, the unauthorized party demanded an extortion payment. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.” – Robinhood statement
Should Companies Pay Ransomware Demands?
We have seen many high profile cases over the last year where ransomware has disrupted a company, forcing them offline and causing huge detriment to their day to day operations, as well as the security of their data. If you're in the company's shoes, it may well be tempting to throw a few million at the problem to make it go away, but should you?
According to the US Treasury, it's a resounding no. There are several reasons for this advice, including that paying up can simply reinforce to hackers that these attacks work. There's also no guarantee that paying will get you back your data, or stop demands for more payments.
A more sinister factor at play is that paying after a ransomware attack may unwittingly land your company in hot water under the ‘Trading with the Enemy Act'. As many of these attacks come from overseas, from countries with sanctions imposed on them by the US, dealing with them could end in a fine from the US government.
So, the advice is that no matter what your accountant tells you, you shouldn't pay for a ransomware attack.
How to Avoid a Ransomware Attack
Ransomware attacks are a fairly nebulous concept – there isn't one traditional method that hackers like to use to infiltrate systems. They will, and do, try anything to get in. In the case of the Robinhood attack, it appears that the route in began with a phone call, with access to customer service platforms escalating from there. In this scenario, it's diligence and process that would be needed to stop the attack, not specialist security software.
There are ways to catch ransomware early on, before it can take hold of your systems. Tools like anti-virus software can be instrumental in catching threats from unsecure devices or email, and isolating them. Once ransomware gets into the system, it's already too late, so getting them early is key.
Staff training and clear security procedures are also important. Security permissions for databases and platforms should be reviewed regularly, with only those that absolutely need to have access able to do so.
Vigilance around access details is also important, with previously breached data a potential route for scammers. It's worth checking your current credentials on a site like haveibeenpwned.com to make sure that email addresses and passwords aren't already accessible to all. A good password manager can also help mitigate the risk, with some even alerting users when their details are breached.