When a Hacker Calls: How Robinhood Fell Victim to a Vishing Raid
By the way, the call was coming from inside the company.
(Bloomberg) -- The call was coming from inside the company.
Or so it seemed when the mobile phone of a customer-service representative for Robinhood Markets Inc. lit up on the evening of Nov. 3. More than an hour passed -- on and on the conversation ran, as the caller reeled in the hapless employee.
By the time it was over, that one Robinhood rep had unwittingly handed over keys to the personal information of about 7 million customers, in what’s now believed to be one of the biggest retail brokerage cyber-breaches of all time, by number of accounts affected.
Robinhood didn’t learn of the lapse until the rep got home and told a relative about the strange call -- and was promptly advised to escalate it, according to a person familiar with the matter. Only then did the employee inform the company, whose free trading app caught fire with young people buying meme stocks, options and crypto during the pandemic, at times with devastating results.
Robinhood declined to comment on the agent’s performance. It said separately that, to its knowledge, no Social Security numbers or data about debit cards or bank accounts were compromised. Nor did customers incur financial losses, according to the firm.
Such assurances aside, the hack -- the details of which haven’t been previously reported -- raises new questions about Robinhood’s efforts to ensure that its millions of customers get the support and help they need to invest safely.
The breach was a stunning example of what’s known as a vishing (voice phishing) attack, in which a mark is talked into revealing crucial bits of information -- the sort of lapse that brokerages work hard to prevent through training.
Some Robinhood insiders have been warning that the company’s belated push to improve customer service has failed to keep pace with its breakneck growth. In late 2019, there were roughly 370 support staff, more than half of them outsourced, to work with 5 million customers. Today, there are about 1,000 reps to deal with 22.4 million customers, the majority of them new to trading.
Two former Robinhood support staffers said that at times the team’s focus on growth backfired and led to internal clashes.
In one example, a group of managers expressed trepidation over the company’s decision to move to 24/7 phone support for all customer queries, fearing the team wasn’t ready, according to one of the people, who asked not to be identified because because the debate was not public. Robinhood also tested an instant message-based customer service system in early 2021 but dismissed that approach as too complicated, two people said.
A Robinhood spokesperson said the company is “proud to offer 24/7 phone support, which is the best way to serve our customers and which we rolled out thoughtfully and methodically over the course of nearly a year.”
This month’s debacle is just the latest in a series of customer service headaches for Robinhood, including a separate hacking episode last year and a major system outage in March 2020.
“Robinhood has this situation where they’re always in a crisis six-to-18 months ahead of where their operations are,” said Mazi Bahadori, chief compliance officer at Altruist Corp., an investment platform for financial advisers. “This hack is an example of it.”
The hackers walked off with thousands of phone numbers and millions of email address -- details criminals can use to induce people via phishing emails to reveal still more personal information, such as passwords and credit-card numbers. Also among the stolen valuables: photo ID information for fewer than 10 customers, according to the firm.
Other technology companies have fallen victim to vishing attacks. In July 2020, for instance, hackers manipulated several popular Twitter accounts, including those of Joe Biden, Elon Musk and Jeff Bezos, and used information to target employees with access to account-support tools.
Financial firms should stay on alert for vulnerabilities in every department, said Joanna Fields, founding principal at consultancy Aplomb Strategies.
“The more people are aware that it could happen anywhere in the organization, the better,” she said. “There are very sophisticated actors looking for information.”
©2021 Bloomberg L.P.