Toy maker hack exposes data of 5 million – including personal info of children

1 Dec 2015 | Author: | No comments yet »

High tech toys expose kids to hackers.

On Black Friday, the technology-reporting website Motherboard reported that Hong Kong electronics maker VTech was targeted by hackers. A hacker who broke into connected toymaker VTech’s servers found thousands of pictures of children and chat logs between them and their parents, alongside millions of home addresses, passwords and names.

VTech, a Hong Kong-based company that sells baby monitors and digital learning toys such as children’s tablets, announced over the weekend that the data for five million “customer accounts and related kids profiles worldwide” were compromised as part of a cyberattack. The electronic toy maker’s app store was hacked last week, exposing the personal information of about five million customers including thousands of children. “There’s certainly accountability on their behalf. The data breach affected the company’s app store, exposing the email addresses, names and passwords of adults, and the first names, birthdays and gender for kids. The stolen data included names and birth dates of kids, mailing addresses, e-mail addresses, as well as what e-books, learning games and other software were downloaded to toys, the company said in a statement posted online. VTech runs an online store called the “Learning Lodge” that sells apps, e-books, and other content for its suite of educational tablets and devices.

The company’s failure to fully encrypt and protect sensitive data (including photos and audio) has left millions of users, including children, vulnerable to personal identification, potential cyber crime or identity theft. A hacker interviewed by Motherboard’s Lorenzo Franceschi-Bicchierai said that they used a “SQL injection” attack, a simple and extremely common hacking technique in which hackers enter commands into website forms in order to make websites serve desirable data. The 190Gb worth of images stored on VTech’s servers were taken through its Kid Connect service, which allows parents and children to message each other via its smartphones and tablets. Such attacks are easy to defend against, but VTech did not have the proper protocols to do so. “It was pretty easy to dump, so someone with darker motives could easily get [the information from VTech],” the hacker told Motherboard in an encrypted chat.

The question might become did they take sufficient measures to stop it from being lost?” Parents should ask about a website or app security before registering personal information. Troy Hunt, Microsoft’s MVP for developer security who assisted Motherboard in their investigation, said that as a father the leak had prompted him to think more carefully about the “footprints I’ll make for [my two children] online”. “I personally have a mixed reaction to this event; I’m upset that someone would seek to take this class of data from a system, yet on the other hand, the data seems to have been very closely held and I hope it stays that way,” he wrote on his website. “But what really disappoints me is the total lack of care shown by VTech in securing this data. VTech’s legal department is handling those inquiries, though both sides are still in the early stages of communication, Corinna Chan, a spokeswoman for VTech, said by phone. It’s taken me not much more than a cursory review of publicly observable behaviours to identify serious shortcomings that not only appear as though they could be easily exploited, evidently have been.

Although the perpetrators didn’t steal financial data, they could use the information to gain access to social media profiles or to target children online, said Bryce Boland, Asia chief technology officer for FireEye Inc. “It may be that this data theft is only the tip of the iceberg,” Boland said in an e-mail. “Until there is a thorough forensic investigation, they won’t know if they can still be sucker-punched in cyberspace. Despite the frequency of these incidents, companies are just not getting the message; taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.” Louise Bulman, vice president EMEA at encryption and data security company Vormetric, said the nature of the accessible information was particularly concerning. “VTech has joined the increasingly long line of organisations facing a rather bleak end to 2015, as it becomes the latest to suffer a high-profile data breach. VTech has said that credit card information, Social Security numbers, and driver’s’ license numbers are not stored either in the Learning Lodge or in their customer database, and have not been affected by the breach. But the V-tech breach shows this data isn’t always being guarded well. “Toy companies are rushing to cash in on the changing nature of childhood in the Big Data era, where Internet connected toys are linking children to a vast surveillance network,” said Jeffrey Chester, the executive director of the Center for Digital Democracy. “These playthings can monitor their every move, turning what should be innocent and pleasurable experience into something potentially more sinister.” VTech sells popular toys mainly for young toddlers, including its “Sit-to-Stand Learning Walker,” “Baby’s Learning Laptop,” and “Kidizoom Smartwatch DX.” The breach involved data collected by its Learning Lodge app store, where customers could download games and educational programs for some toys. The regulator said its probe will seek to determine if VTech took appropriate steps to safeguard information and what remedial steps it will adopt to prevent similar incidents in the future.

This holiday season, Fisher-Price has been hawking its Smart Toy Monkey as an “interactive learning buddy” that “talks, listens and remembers what your child says.” The company states on its website that “we never send voice data over the Internet.” The toy, however, checks a “secure server each day to see if there are new activities for your toy to learn” and remembers how engaged a child is with each activity. The new “Hello Barbie,” a doll that uses artificial intelligence to learn about children and carry on real time conversations, was released earlier this month – raising alarm bells for some consumer protection watchdogs. Mattel and ToyTalk, the company behind the doll’s voice features, have gone to great lengths to assure customers that information the doll collects will be safeguarded. Many toys are likely already vulnerable to data breaches, but have gone under the radar because attackers haven’t figured out how to make money from hacking them yet, said Tyler Shields, a principal analyst focused on digital security at Forrester Research.

Here you can write a commentary on the recording "Toy maker hack exposes data of 5 million – including personal info of children".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site