Online stock trading platform and broker-dealer Robinhood Financial moved closer to paying $20 million as part of a class-action settlement with thousands of customers whose accounts were allegedly accessed by unauthorized users.

From January 2020 through April 2022, Robinhood “used substandard security practices and lacked security measures used by other broker-dealer online systems,” according to a motion for settlement filed July 1 in U.S. District Court for the Northern District of California. A California magistrate judge granted preliminary approval of the deal Tuesday, according to court documents.

Robinhood agreed to settle without admitting any liability or wrongdoing.

Approximately 40,000 customers claimed their accounts were breached since 2020 as part of the lawsuit, which also alleged violations of the California Consumer Privacy Act (CCPA).

During the lawsuit’s relevant period, Robinhood was the subject of a November 2021 breach in which a hacker obtained the email addresses or names of approximately seven million of its customers. At the time, the company said the bad actor “socially engineered a customer support employee by phone and obtained access to certain customer support systems.”

As part of the settlement, Robinhood agreed to pay $500,000 in fees, $19.5 million in damages, and provide two years of credit monitoring and identity theft protection for the affected parties. The company is also required to “maintain improved policies and procedures” to prevent unauthorized access to customer accounts, including:

  • Supplemental two-factor authentication;
  • Screening for, and prompting users to update, potentially compromised passwords;
  • Proactive monitoring of account takeovers;
  • Customer awareness campaigns that provide information and tools for better cybersecurity hygiene; and
  • Real-time voice support.

The company must maintain these new procedures for a minimum of 18 months or could be required to pay further damages if it fails to comply, according to the settlement.

Robinhood did not respond to a request for comment.

Related case: Robinhood Crypto was fined $30 million by the New York State Department of Financial Services earlier this month for “significant failures” in its Bank Secrecy Act/anti-money laundering and cybersecurity compliance programs.

The company was found to have inadequate staffing, failed to transition from a manual transaction monitoring system unfit for the firm’s size, and did not have sufficient resources to address cryptocurrency industry risks.