VTech hack exposes personal information of millions of customers

VTech, a company dedicated to making technology and educational toys aimed at young children, revealed that it was recently compromised by hackers. According to a report from the BBC, the attack occurred on November 14 and exposed sensitive information of up to five million VTech accounts.

According to VTech the attack exposed “general user profile information.” That includes things such as names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download histories. A compromise of this sort of personally identifiable information (PII) is a problem for users of any age, but it’s particularly concerning that children who haven’t yet entered kindergarten already have their data hacked.

It also represents a greater risk of identity theft. Identity theft and credit fraud of adults often raises red flags that allow victims to detect it. The victims in this case, however, won’t even be thinking about applying for credit or setting up a bank account for years—possibly a decade or more. By the time they try to open a line of credit they may discover that their credit score has been destroyed long ago by identity thieves.

“Hardly a day passes now without a breach of some sort, and it makes those of us embedded in the security and data protection world wonder when organizations will demonstrate a sense of urgency,” proclaimed David Gibson, VP of strategy and market development at Varonis.

Gibson stressed that most organizations and individuals are still struggling to get the basics of security and data protection right, and there is still too much focus on keeping the bad guys “outside” the network through perimeter defenses. “Instead of pouring all of your energy into building a very high, very strong fence, spend more time making sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analyzing it properly will help organizations identify attackers on their network and hopefully mitigate any damage.”

Mark Bower, global director at HPE Security, pointed out that a breach like this that compromises PII of children who don’t even know what PII is also exposes weaknesses in programs and regulations intended to protect children online. Regulations like COPPA (Children’s Online Privacy Protection Act) mandate rules for how companies can collect or use data from children, and programs like KidSAFE (which VTech participates in) implement controls designed to protect children. Bower notes that, unfortunately, such regulations do little to guard against what happens to the data that is collected when a breach occurs.

Bower declared, “This breach shows how little the perimeter security controls offered by KidSAFE do in protecting the child’s data from breach risk. If the data itself is not secured, it is at risk of theft irrespective of access controls and firewalls. Breach after breach proves this beyond any doubt.

We don’t yet have all of the details and there will most likely be more news as the dust settles. Gavin Reid, VP of threat intelligence for Lancope, summed things up pretty well, though. “It is terrible even thinking that these children have had their data exposed before they even know what it is. This is the new world order in privacy, where you should expect anything handed over to organizations to be exposed at some point.”