• United States



Senior Staff Writer

VTech data breach should serve as a warning for parents

Nov 30, 20153 mins
Data and Information SecurityData BreachIT Skills

Criminals don't care if the information belongs to a child

kids mobile devices study school learning tablets
Credit: Thinkstock

Over the weekend, as families gathered for Thanksgiving and shoppers prepared for Black Friday, Hong Kong-based toy maker VTech confirmed that their Learning Lodge app store database had been compromised.

VTech wasn’t aware the records were compromised until a reporter for Motherboard contacted them about the data on November 24.

Shortly after contact was made, the company confirmed the breach, which occurred on November 14. The person responsible for the act, who shared the information with Motherboard, said they didn’t plan on doing anything with the data.

The company was quick to mention the compromised database didn’t store any credit card information, as well as “any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).”

But the compromised database did contain 4.8 million records including names, email addresses, passwords, and home addresses. This information belongs to the parents of children who bought VTech products and needed to provide it as part of a registration process for the Learning Lodge app store.

Unfortunately, the compromised data also included the first name, gender, and birthday for more than 200,000 children.

And that’s the important bit. Financial data can be replaced, and losses stemming from fraudulent transactions because of compromised records can be reversed. But personal information has a longer reach and lifespan.

When a criminal steals your identity, or abuses it for fraudulent gain, the recovery process isn’t as simple as stating, “it wasn’t me.”

The situation is worse when the data compromised belongs to your child.

For children and adults, the recovery process after identity theft is mostly the same, but most parents don’t monitor their child’s credit. This gap in monitoring means that an incident might not be detected until long after the fact, making recovery more difficult.

That’s the short-term solution by the way, monitoring your child’s credit. It isn’t a perfect fix, but it’s something.

Most parents, thanks to data breaches at Target, Home Depot, Anthem or any of the other massive data breaches in the last year or two have credit protection and ID monitoring free of charge.

Checking on your kids will cost nothing, because yearly reports are fee and identity theft victims can obtain all the necessary reports at no cost.

While the person responsible for the VTech incident says they’re not planning to release the compromised data, there’s no way to be sure of that.

At this point, parents who registered their VTech toy and included their child’s name are exposed, and from the wording of VTech’s statement, the company isn’t sending notifications to the impacted consumers.

Each day more and more data is being collected by organizations across the globe to improve customer experiences or expand sales and marketing efforts. These large data repositories are a tempting target for criminals.

VTech made a number of security errors when it came to collecting and storing customer information, which security researcher Troy Hunt explained in a blog post this weekend.

However, they’re not alone. Organizations the world over are still having a hard time protecting information – and as proof you only need to scan the headlines for breach-related news.

The VTech incident should serve as a reminder and a lesson.

Be mindful about the information you’re sharing with the places you do business with, and more so when it comes to sharing information about your child.