Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Robinhood Crypto Penalized $30M for Violating NY Cybersecurity Regulations

Robinhood Crypto fined over cybersecurity failures

Robinhood Crypto fined over cybersecurity failures

The cryptocurrency division of Robinhood has been slapped with a $30 million penalty by New York’s Department of Financial Services for significant violations of cybersecurity and money laundering regulations.

The $30 million penalty, announced late Tuesday via a consent order, adds to a litany of problems at Robinhood that range from security breaches, to ongoing layoffs, to a massive crash in its public market valuation.

According to a statement from the Department of Financial Services in New York, Robinhood Crypto “failed to invest the proper resources and attention to develop and maintain a culture of compliance – a failure that resulted in significant violations of the Department’s anti-money laundering and cybersecurity regulations.” 

“The Department found critical failures in [Robinhood Crypto’s] cybersecurity program. The program did not fully address RHC’s operational risks, and specific policies within the program were not in full compliance with several provisions of the Department’s Cybersecurity and Virtual Currency Regulations.”

[ READ:  Robinhood Hacked, Millions of Names, Emails Stolen ]

The department also outlined “significant deficiencies” in Robinhood’s compliance program and transaction monitoring system, noting that they were inadequately staffed and did not have sufficient resources to adequately address risks specific to Robinhood Crypto. 

Robinhood Crypto was also criticized for improperly certifying to the New York authorities that its transaction-monitoring and cybersecurity regulations were in compliance despite the violations and deficiencies. 

Advertisement. Scroll to continue reading.

In addition, the state said Robinhood Crypto did not publicly provide a dedicated phone number to field complaints from customers, in violation of the rules.

In addition to the $30 million penalty, the company will also be required, as part of the settlement, to retain an independent consultant for a comprehensive evaluation of Robinhood Crypto’s compliance with the regulations and fixing the identified deficiencies and violations.

In September 2021, Robinhood fessed up to a security breach that exposed names and email addresses for millions of users of its stock trading platform.

Related: Robinhood Hacked, Millions of Names, Emails Stolen 

RelatedRobinhood Taps Caleb Sima to Lead Security 

Related: FBI Hacker Offers to Sell Data Allegedly Stolen in Robinhood Breach

Related: Stock Trading Firm Robinhood Stored User Passwords in Plaintext

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.