If you are “a leader in the Internet safety and security field for over 15 years” and run a company that has monitored and maintained the digital activity records of “260,000 kids in more than 50 countries around the world,” when you fail to password-protect the database for your child activity tracker firm and the database is exposed, would the reasonable response be akin to killing the messenger?
The company, uKnowKids, sells parents a service to track their kid’s online activity such as social media accounts, chats, posted pictures, etc. as well as text messages via smartphone. While that may seem a bit creepy with a control-freakish vibe, Steve Woda, CEO of uKnowKids, said the company was “created after one of our family children was victimized by an online predator.” Right now it seems like Woda is steaming mad at security researcher Chris Vickery, considering a good portion of the post alerting parents to a uKnowKids breach is devoted to blistering Vickery.
Vickery, who has a habit of finding and alerting companies to their misconfigured MongoDB databases, claims uKnowKids is in violation of the Children's Online Privacy Protection Act (COPPA), since it “gave public access to over 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles. This includes first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more.”
Vickery knows that because he downloaded the unprotected database as proof and reported the problem to uKnowKids; Salted Hash’s Steve Ragan has seen screenshots and confirmed the database has been exposed for “at least 48 days.”
Woda posted two of “hacker” Vickery’s IP addresses in a UknowKids breach announcement, which seems ridiculously vindictive coming from an alleged leader in “Internet safety and security;” he added, “The hacker claims to be a ‘white-hat’ hacker which means he tries to obtain unauthorized access into private systems for the benefit of the ‘public good’” and the firm is attempting to validate Vickery’s “benign intentions.” One of the lessons learned from this breach, according to Woda, is that “there are bad actors out there on the Internet and in our digital world that seek to exploit the vulnerabilities of our kids, our families, and our organizations for their own personal benefit.”
In return, Vickery noted that uKnowKids, which “claims to make ‘parenting easier and keep kids safe online,’ did just the opposite since “one of the uKnowKids databases was configured for public access, requiring no level of authentication or password and providing no protection at all for this data.” He finds nothing reasonable about a company bound by COPPA giving “public open, unfettered access to a database containing detailed child information.”
Woda takes issue with Vickery’s “unauthorized access” and demanded for Vickery to delete the database and all screenshots. Vickery told Ragan that he securely deleted the database, redacted PII in the screenshots, and kept some of the screen caps “for purposes of credibility and to keep uKnowKids (minimally) honest in their claims.”
The BBC reportedly saw screenshots which included “a family picture of a woman in a car with three small children, lists of usernames and email addresses and folders with names like ‘childicloudimages’ and ‘childfacebookaccounts’.”
If you are a journalist and want more details from uKnowKids, good luck with that. Woda allegedly told Vickery that if any news outlet reported on the breach, the site “could face liability under COPPA (a claim which is, of course, preposterous).” From Woda directly, uKnowKids “will be happy to share appropriate levels of information with you time permitting. You will obviously be a lower priority than our customers and the authorities, but you can count on us to share the relevant facts on this blog as they are discovered.”
The insecure database was secured 90 minutes after Vickery notified uKnowKids. Woda said the “alleged data breach affected about 0.5% of the kids;” the database also contained “uKnow's proprietary natural language processing engine technology and data including our proprietary algorithms that power uKnow's technology.” The company reported the security snafu to the FTC, hired forensic investigators and two pen testing firms to poke around for more potential holes, as well as started handing out “Norton Safe Shopping Guarantees” for new customers.
It’s easy to see why a company would be upset and fear for the longevity of their business, but if you fail to password-protect a database, then someone discovers and reports it to you, step up and take responsibility instead of attacking the person who embarrassed you on your blog which you describe as “a widely-read, authoritative source of information in the Internet Safety and Security world.” An expert should realize that the database chalked full of personal info on kids and proprietary software could have landed in the hands of a true bad actor who wouldn’t bother to notify you after grabbing all the data.