Class Action Filed Over Robinhood Data Breach, Stresses Scope of Information Stolen Is ‘Yet Unknown’

Robinhood Markets, Inc. faces a proposed class action lawsuit in New York over its alleged failure to safeguard reams of confidential information belonging to millions of current and former users of the online stock trading platform. 

Filed in Brooklyn on November 10, the 26-page complaint alleges that although the full scope of the Robinhood data breach is yet unknown, information stolen from users is currently believed to include names and email addresses “in most cases,” and potentially zip codes and dates of birth in others. Information collected by Menlo Park, California-based Robinhood on its more than 31 million users includes not only names and addresses but telephone, Social Security, credit card, bank account, and driver’s license numbers, in addition to consumers’ credit ratings, the case says.

In its November 8 announcement of the breach, Robinhood said that it believed based on its own investigation that approximately five million users were affected. The company added that after containing the “intrusion,” the party who claimed responsibility for the cyberattack “demanded an extortion payment,” though Robinhood has not stated whether it paid the hacker’s ransom.

The filing contends that information stolen in the breach can be used by nefarious parties to gain unlawful access to a consumer’s other online accounts and commit identity theft or other types of fraud. According to the lawsuit, the estimated number of users affected by the Robinhood data breach has jumped to roughly seven million.

The lawsuit argues that although the precise methods used to carry out the data breach are yet to be known publicly, Robinhood nevertheless could have prevented the hack had the company had “basic security measures, authentications, and training” in place. The case chides Robinhood for its alleged failure to foresee the possibility of a cyberattack, in particular given the prevalence of similar incidents, its assurance that it would protect users’ personally identifiable information (PII) and its own history of user data being compromised by unauthorized third parties.

Contrary to these promises, and despite the fact that the threat of a data breach has been a well-known risk to Defendant, which has experienced data breaches in the past, especially due to the valuable and sensitive nature of the data Defendant collects, stores and maintains, Defendant failed to take reasonable steps to adequately protect the PII of its current and former customers. The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect PII.”

The four plaintiffs behind the suit allege Robinhood has violated Federal Trade Commission guidelines and New York’s SHIELD Act, which amends the state’s existing data breach notification statute and imposes more data security mandates on companies who collect information from New York residents.

What did Robinhood say about the data breach?

On or about November 8, 2021, Robinhood disseminated a notice in which it stated that the platform experienced a “data security incident” late in the evening on November 3. During the incident, the company said, an unauthorized third party gained access to “a limited amount of personal information” for a portion of Robinhood’s customers. Robinhood said that based on its investigation, the attack had been contained, no Social Security, bank account or debit card numbers were believed to be exposed, and no customers incurred financial losses due to the incident.

According to Robinhood, the unauthorized party behind the breach “engineered a customer support employee by phone and obtained access to certain customer support systems.” Robinhood stated that the hacker obtained a list of email addresses for approximately five million people, and full names for a different group of roughly two million people.

The company also said it believes that approximately 310 people in total had additional personal information exposed, including names, dates of birth and zip codes, with a subset of around 10 customers having their extensive account details compromised.

“We are in the process of making appropriate disclosures to affected people,” Robinhood said.

The lawsuit says that although Robinhood has emphasized its purported commitment to protecting users’ personally identifiable information—and could reasonably have foreseen the possibility of a data breach given the vast amount of personal user information it collects, manages and maintains—the company has nevertheless failed to protect the data of more than seven million current and former users. The suit stresses that the true number of individuals affected by the Robinhood data security incident is still uncertain.

Lawsuit calls Robinhood aid to data breach victims “wholly inadequate”

With regard to aid offered by Robinhood to users wrapped up in the data breach, the lawsuit says that the company so far has “merely advised customers of identity theft and credit monitoring services to which they may subscribe.” The lawsuit contends that this offer is “wholly inadequate” as it both fails to account for the fact that data breach victims often face years of ongoing identity theft and offers no compensation to Robinhood customers for the unauthorized disclosure of their information.

Moreover, Robinhood’s apparent inaction in the wake of the data breach “squarely places the burden on Plaintiffs and Class Members” to handle any fallout from the cybersecurity incident, including investigating and protecting themselves.

“Rather than automatically enrolling Plaintiffs and Class members in monitoring services upon discovery of the breach, Defendant merely sent instructions offering the services to potentially affected customers with the recommendation that they sign up for the services,” the suit relays.

Who’s covered by the Robinhood data breach class action?

The lawsuit looks to represent all United States residents whose personally identifiable information was compromised in the data breach initially disclosed by Robinhood on or about November 8, 2021.

The suit also looks to cover a class that includes all New York residents whose personally identifiable information was compromised in the same data breach.

I am (or was) a Robinhood user. Can you add me to the lawsuit?

When a class action lawsuit is initially filed, there’s generally nothing you need to do to make sure you’ve joined or are considered included in the case. Fact is, it’s usually only if and when a class action suit settles that a consumer who’s covered by the case, i.e., a class member, would need to act, meaning they’d have to file a claim form online or by mail.

In the event of a settlement, consumers covered by the deal would more than likely receive notice with instructions on how and by when to file a claim for whatever compensation is approved by the court.

We’re getting ahead of ourselves, though. It’s true for the most part that class actions take some time to work their way through the legal process, usually toward a settlement, dismissal or arbitration outside of court. For Robinhood users, what you can do at this point is stay informed by signing up for ClassAction.org’s free weekly newsletter.

We’ll update this page with any new developments, so be sure to check back from time to time.