American financial services company Robinhood Markets, Inc. has suffered a data breach that affects seven million customers.

An unauthorized party stole the data of more than seven million Robinhood customers. Based on an investigation, Robinhood believes “the attack has been contained, and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.”

The attackers used social engineering on a customer support employee to obtain access to specific customer support systems. According to Robinhood, the attack accessed a list of email addresses for approximately five million people, full names for a different group of approximately two million people, as well as additional personal information, including name, date of birth, and zip code of 310 people, with a subset of approximately 10 customers having more extensive account details revealed. The company claims it is in the process of making appropriate disclosures to affected people.

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood Chief Security Officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”

After containing the attack, the cybercriminals demanded an extortion payment. The company alerted law enforcement and is investigating the incident with the help of security firm Mandiant. In a statement to The Hill, Charles Carmakal, senior vice president and chief technology officer of Mandiant, “Robinhood quickly contained the security incident and conducted a thorough investigation to assess the impact. Mandiant has recently observed this threat actor in a limited number of security incidents, and we expect they will continue to target and extort other organizations over the next several months.” 

John McClurg, Senior Vice President and CISO at BlackBerry, says, “The Robinhood data breach highlights the need for a prevention-first approach across industries to minimize the risk and scale of an attack before it cripples an organization. With cybercriminals targeting financial service organizations with the hope to yield a profit, humans and technology must work hand-in-hand to stay one step ahead to secure and protect critical data.”

McClurg adds, “Implementing prevention-first artificial intelligence-driven technology can enable organizations to stop data breaches and ransomware attacks before they occur. Although the breach was reportedly contained, leaked customer information such as full names, dates of birth and ZIP codes can be used to facilitate attacks later, like targeted phishing emails. By halting the cyberattackers in the exploitation stage, organizations can increase resilience and ensure that customers’ and employees’ data are effectively secure.”