There’s a 17-Year-Old Cybersecurity Rule at the Center of the Robinhood Hack
The data breach Robinhood recently disclosed sounds like the parade of hacks consumers have become numb to by 2021: Attackers fooled a customer support worker by phone, then gained access to millions of email addresses and tried to extort the company, Robinhood said.
[…]
In contrast to the SEC's regulations, the new FTC rules include requirements for the use of encryption, multi-factor authentication, annual penetration testing, guardrails on access to information that employees don't need and disposal of some long-unused unnecessary data.
"It's become such a serious impact on the economy and on individuals' lives that it's now at that point" where the government wants to make changes, said Sharon Klein, chair of the privacy, security and data protection practice at the law firm Blank Rome.
...
The SEC regulations say "policies and procedures must be reasonably designed" to ensure security and protect records, a standard that's developed alongside more recent cybersecurity best practices and court cases. The agency does enforce those more updated standards: It went after nine firms this year under those guidelines, all of which settled.
Authorities may well find the potential gaps in training, and the broad access to personal data that Robinhood customer service workers appear to have had prior to the breach, failed to meet the "reasonable" standard in place today, Klein said.
The Robinhood hackers, for instance, got access to "an internal tool that presented them the option of tampering with user accounts" as well as the ability to see user information including balances and trades, according to a Vice report.
"Even old school, it's going to be pretty easy to find a violation in terms of what I'll call the lack of cyber-discipline or -hygiene," Klein said.
[…]
Cybercrime is likely to keep rising, particularly since the pandemic sent many workers home to potentially less-secure environments, and firms with financial information make for particularly attractive targets for attackers.
"They need to only get that right once, and you have to get it right every time," Klein said.
To read the full article, please click here.
“There’s a 17-Year-Old Cybersecurity Rule at the Center of the Robinhood Hack,” by Ben Brody was published in Protocol on November 15, 2021.