Robinhood Data Breach Lawsuit Filed After Customer Information Allegedly Posted to Dark Web

The stock trading app Robinhood allegedly experienced a data breach earlier this year, which led to customers’ personal identifying information appearing on the dark web, according to a recently filed class action lawsuit.

Robinhood is a popular online financial services company, which offers commission-free trades of stocks, options, ETFs and cryptocurrency. It has 24.3 million funded customers, according to the company’s third quarter of 2024 earnings report.

In a complaint (PDF) filed in the U.S. District Court for the Northern District of California on November 22, Tyrone Hammonds claims that there was a Robinhood data breach in 2024, which allowed hackers to gain access to customers’ personal identifying information, including Social Security numbers, which were then made available to other nefarious parties on the dark web.

However, Robinhood has yet to publicly acknowledge the attack, Hammonds claims in the lawsuit. Instead, individuals have had to research for themselves how their data was compromised.

When a person’s Social Security number is made public, it exposes that individual to identity theft, which could lead to criminals opening credit cards or bank accounts in that person’s name, as well as potentially applying for loans, accessing medical records or claiming their tax refunds. All of which can cause immense financial and psychological harm to the individual.

Hammonds alleges that according to his and his counsels’ research, a ransomware organization known as BASHE breached Robinhood’s cybersecurity defenses and accessed customers’ personal identifying information (PII). The hackers then demanded a specific ransom from the company, which had to be paid by October 17, 2024, to keep customers’ information from appearing on the dark web.

However, Hammonds indicates that Robinhood did not make the ransom payment,  and BASHE then sold the data on the dark web. This included Hammonds’ and other customers’ PII, including their Social Security numbers, which exposed them to a high risk of identity theft and fraud.

The Robinhood data breach could have been prevented with proper data encryption, or other protective measures, which the company failed to implement, Hammonds claims.

According to Hammonds’ lawsuit, Robinhood failed to meet U.S. Federal Trade Commission (FTC) guidelines for cybersecurity practices, which include properly disposing of personal information that is no longer needed, encrypting information that is stored on computers, understanding network vulnerabilities, and implementing policies to correct security problems.

“In light of recent high profile data breaches at other industry leading companies, including T-Mobile, USA (37 million records, February-March 2023), 23andMe, Inc. (20 million records, October 2023), Wilton Reassurance Company (1.4 million records, June 2023), NCB Management Services, Inc. (1 million records, February 2023), Defendant knew or should have known that the PII that they collected and maintained would be targeted by cybercriminals,” the lawsuit states.

The lawsuit names Robinhood Markets Inc. as the Defendant, and is seeking class action status on behalf of Hammonds and others similarly situated.

Hammonds presents claims of negligence, breach of implied contract and unjust enrichment, seeking equitable relief, injunctive relief, and awards for actual, nominal, consequential and punitive damages.