VTech data breach exposes personal info of parents, kids

1 Dec 2015 | Author: | No comments yet »

Children’s data exposed in VTech toy company hack.

Parents who use VTech’s Learning Lodge app store have another concern. A hacker who broke into connected toymaker VTech’s servers found thousands of pictures of children and chat logs between them and their parents, alongside millions of home addresses, passwords and names.VTech, a Hong Kong-based company that sells baby monitors and digital learning toys such as children’s tablets, announced over the weekend that the data for five million “customer accounts and related kids profiles worldwide” were compromised as part of a cyberattack.COSTA MESA (CBSLA.com) — As many as 5 million parents and 200,000 children may have may have had their personal customer information hacked into over the site for the popular electronic learning product company, VTech.

The electronic toy maker’s app store was hacked last week, exposing the personal information of about five million customers including thousands of children. “There’s certainly accountability on their behalf. The data breach affected the company’s app store, exposing the email addresses, names and passwords of adults, and the first names, birthdays and gender for kids. The stolen data included names and birth dates of kids, mailing addresses, e-mail addresses, as well as what e-books, learning games and other software were downloaded to toys, the company said in a statement posted online. On its website, VTech describes itself as the number one “player” in infant toys in Britain, France, Germany and Spain, and tops globally when it comes to electronic learning products for children. “We immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks,” VTech said. The company’s failure to fully encrypt and protect sensitive data (including photos and audio) has left millions of users, including children, vulnerable to personal identification, potential cyber crime or identity theft.

A hacker was able to pull up photos taken of children with their parents, along with chats and audio recordings made with the “Kid Connect” service, according to the tech site CNET and the online magazine Motherboard. “I’m not surprised,” Plesco said. “They’re using mobile applications. The 190Gb worth of images stored on VTech’s servers were taken through its Kid Connect service, which allows parents and children to message each other via its smartphones and tablets. The question might become did they take sufficient measures to stop it from being lost?” Parents should ask about a website or app security before registering personal information.

Troy Hunt, Microsoft’s MVP for developer security who assisted Motherboard in their investigation, said that as a father the leak had prompted him to think more carefully about the “footprints I’ll make for [my two children] online”. “I personally have a mixed reaction to this event; I’m upset that someone would seek to take this class of data from a system, yet on the other hand, the data seems to have been very closely held and I hope it stays that way,” he wrote on his website. “But what really disappoints me is the total lack of care shown by VTech in securing this data. So, reverse engineering the software isn’t that hard.” VTech suggests that no credit card information or Social Security numbers were taken in this specific incident, but Plesco says VTech did not do enough to encrypt customers passwords and data. It’s taken me not much more than a cursory review of publicly observable behaviours to identify serious shortcomings that not only appear as though they could be easily exploited, evidently have been. Despite the frequency of these incidents, companies are just not getting the message; taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.” Louise Bulman, vice president EMEA at encryption and data security company Vormetric, said the nature of the accessible information was particularly concerning. “VTech has joined the increasingly long line of organisations facing a rather bleak end to 2015, as it becomes the latest to suffer a high-profile data breach.

The company took down the Learning Lodge website and as of Monday, consumers could only see a message: “Due to a breach of security on our Learning Lodge website, we have temporarily suspended the site.” VTech is hardly the only company going high-tech. The new “Hello Barbie,” a doll that uses artificial intelligence to learn about children and carry on real time conversations, was released earlier this month – raising alarm bells for some consumer protection watchdogs. Mattel and ToyTalk, the company behind the doll’s voice features, have gone to great lengths to assure customers that information the doll collects will be safeguarded.

But even the doll’s privacy policy acknowledges that they cannot promise the data will stay private. “We take reasonable measures to protect personal information in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration, and destruction,” it reads. “Please be aware, however, that despite our efforts, no security measures are perfect or impenetrable and no method of data transmission that can be guaranteed against any interception or other type of misuse.” All to often, companies are rushing to add connectivity to their products without taking the security and privacy implications into account. Many toys are likely already vulnerable to data breaches, but have gone under the radar because attackers haven’t figured out how to make money from hacking them yet, said Tyler Shields, a principal analyst focused on digital security at Forrester Research. The agency declined to weigh in on the specific incident. “FTC investigations are non-public and we do not comment on an investigation or the existence of an investigation,” a spokesperson said.

Here you can write a commentary on the recording "VTech data breach exposes personal info of parents, kids".

* Required fields
Our partners
Follow us
Contact us
Our contacts


ICQ: 423360519

About this site