Robinhood Sued Over Data Breach

Robinhood, a stock trading app, was hit with a class-action lawsuit Wednesday in California Northern District Court in response to a data breach that occurred Nov. 3.

The suit, filed on behalf of current and former customers, alleges that Robinhood failed to safeguard their personal information from hackers and that they face a lifetime risk of identity theft.

Robinhood allows customers to trade securities and cryptocurrencies on a mobile app.

On Nov. 3, hackers gained access to the personally identifiable information of over 7 million Robinhood customers, including full names, email addresses, dates of birth and ZIP codes.

Robinhood announced the data breach on Nov. 8.

At least since that date, the suit states, Robinhood has maintained a blog post on its website titled, “Robinhood Announces Data Security Incident.”

The blog post states, in part, that the data breach occurred late in the evening of Nov. 3, and that “an unauthorized third party obtained access to a limited amount of personal information for a portion of our customers.”

Robinhood’s blog states that “based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.”

The blog says: “We understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people — approximately 310 in total — additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed.”

On Nov. 16, Robinhood updated its Nov. 8 announcement “to admit that further information, including customers’ phone numbers and other undisclosed types of PII were exposed” in the data breach, the suit states.

“Indeed, it appears that Robinhood did not even implement basic security measures despite Robinhood’s promises that it: (i) would not disclose consumers’ PII; and (ii) would protect consumers’ PII with adequate security measures,” the suit states.

Robinhood customers’ PII exposed in the data breach is currently up for sale on the dark web, according to the suit.

“The seller indicated that he was expecting to sell the information for at least ‘five figures,’ and the information is ‘highly profitable in the right hands,’” the suit maintains.

“As a result, Robinhood’s customers face a lifetime risk of identity theft,” the suit maintains.