Robinhood sued over data security incident
A couple of days after online trading company Robinhood confirmed a data security incident affecting millions of its clients, the company is sued because of the data breach.
A number of Robinhood users – Adam Zullo, David Perez, Thomas Barretti, and Thomas Richardson have filed a class action complaint against Robinhood Markets, Inc.
The complaint, submitted at the New York Eastern District Court on November 10, 2021, and seen by FX News Group, alleges Robinhood’s failure to safeguard the confidential information of millions of current and former Robinhood customers. The confidential information stolen appears to be encompass names and e-mail addresses in most cases, but also zip codes and dates of birth in others, with the full extent of the Personal Identifying Information (PII) obtained not yet being fully known.
On or about November 8, 2021, Robinhood announced that on November 3, 2021:
The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people – approximately 310 in total – additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.
The confidential information that was compromised in the Data Security Incident can be used to gain unlawful access to the users’ other online accounts, carry out identity theft, or commit other fraud and can be disseminated on the internet, available to those who broker and traffic in stolen PII.
While the sophistication of the methods employed in effectuating the Data Security Incident is not publicly known, it is certain that the Data Security Incident could have been avoided through basic security measures, authentications, and training, the traders allege.
The plaintiffs stress that, at all relevant times, Robinhood promised and agreed in various documents to safeguard and protect Personal Identifiable Information (PII) in accordance with federal, state, and local laws, and industry standards, including the New York SHIELD Act. Robinhood made these promises and agreements on its websites and other written notices and also extended this commitment to situations in which third parties handled PII on its behalf.
According to the plaintiffs, the Data Breach was a direct result of Robinhood’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect PII.
The plaintiffs say that Robinhood’s failure to implement and follow basic security procedures has resulted in ongoing harm to Plaintiffs and Class members who will continue to experience a lack of data security for the indefinite future and remain at serious risk of identity theft and fraud that would result in significant monetary loss and loss of privacy.
Accordingly, the plaintiffs seek to recover damages and other relief resulting from the Data Security Incident, including but not limited to, compensatory damages, reimbursement of costs that Plaintiffs and others similarly situated will be forced to bear, and declaratory judgment and injunctive relief to mitigate future harms that are certain to occur in light of the scope of this breach.