Robinhood security breach case moves forward

A magistrate judge in San Francisco refused on Tuesday to dismiss a class action accusing online trading platform Robinhood of failing to maintain adequate security measures.

The judge found there may have been a security breach that allowed thousands of accounts to be hacked and looted.

Robinhood has denied that it's network was compromised. It's maintained that the company is not liable because cyber criminals individually hacked the accounts of users by exploiting vulnerabilities in their login credentials.

"What we don't know is whether or not the thief stole a key from the plaintiff or if the thief jimmied a lock on the door," said U.S. Magistrate Judge Susan van Keulen in a tentative ruling allowing the case to proceed. "But we do know that the house was broken into and personal belongings were taken."

Plaintiff Siddhartha Mehta is one of nearly 2,000 people who said their accounts were hacked starting in October. He claimed that Robinhood neglected to disclose that the breach occurred and has refused to return stolen funds in violation of user agreements.

During the Zoom hearing, van Keulen indicated that most of the claims should survive dismissal because the number of users hacked within a relatively short period of time supports a "reasonable inference that there was a security breach." She compared the situation to a boardinghouse in which a resident's belongings are stolen. While it's unknown whether the house or resident is at fault for the theft, she ruled it's irrelevant at this stage of the litigation.

Unlike typical data breach cases in which the defendant has admitted that its computer network was compromised, Robinhood attorney Mark D. McPherson said there's been no such concession in this case. The company cannot be held liable, he argued, for users neglecting to properly secure their accounts.

"If each account holder is renting a room, the allegation is that Robinhood didn't force each renter to lock the door," he said. "It gave them all locks and keys, yet they blame Robinhood."

McPherson also pushed back on claims that a breach likely occurred because a large number of users were affected. He noted that only 2,000 of 13 million accounts were hacked.

Plaintiffs' attorney Kevin Osborne countered that discovery is necessary to uncover further evidence on whether there was a breach of Robinhood's network that led to the accounts being compromised. He said that litigation against Yahoo over 500 million accounts being hacked wouldn't have been possible if a concession by the company admitting that there was a breach is necessary to get past a motion to dismiss.

On whether Robinhood broke its contract with users by promising the highest security standards, van Keulen said she's inclined to dismiss the claim. The statements, she found, were more "puffery" than a promise.

In its user agreement, the company promises it will "protect your personal information from unauthorized access and use" and that it uses "security measures that comply with federal law," including "computer safeguards and secured files and buildings."

Osborne claimed that Robinhood, taking all of its public statements collectively, improperly gives the impression that it employs the best security practices to protect users. It falls far short, he said, of comparable financial institutions.

Van Keulen dismissed the claim with leave to amend. Mehta v. Robinhood Financial LLC, 21-cv-01013 (N.D. Cal., filed Feb. 9, 2021).

The lawsuit alleges a Robinhood "growth-at-all-costs" business model, accusing the company of choosing not to build the necessary infrastructure for a financial institution trading tens of millions of dollars daily on behalf of 13 million users.

The company faces litigation on multiple fronts in the lead up to its initial public offering, including over semi-regular outages and freezing trades for GameStop and AMC when they were the hottest stocks on Wall Street.