With the recent massive hack of the Hong Kong-based toymaker VTech, it saw the personal data of not only millions of children, but their parents as well being compromised. At 6.4 million kids’ data and nearly 5 million parents’ data stolen, this case is said to be the largest known theft of personal data targeting children, and the biggest ever attack on a toy firm. In an online post by VTech, the company declared that almost half (46%) of the parents’ accounts that were hacked actually belonged to users in the U.S, while several other countries make up the balance (18% from France, 12% in the U.K., 8% in Germany, and 5% or less each for the rest of the countries).
The leaked data exposed gigabytes’ worth of children’s and parents’ photos, chat logs, and conversation recordings, on top of names, email addresses, passwords, birthdays and home addresses. Since the incident, it has raised questions about child safety at a time when the Internet of Things (IoT) has moved on to toys and increasingly encourages children to share personal information and play online.
Internet of Things – IoT is the network of physical objects or ‘things’ embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data.
Source: SBS News
In an interview between Motherboard and the VTech hacker, who requested to remain anonymous, said that the company was guilty of using “shitty security”. Since the very beginning, the hacker made it clear that publishing the data, or selling it on an online market, was never his intention. He revealed that what brought him to hack into VTech’s servers was to expose the company’s inadequate security practices.
“I just want issues made aware of and fixed”, the hacker disclosed to Motherboard. “Frankly, it makes me sick that I was able to get all this stuff.”
For VTech’s customers, buyers of the company’s cameras, watches and tablets are encouraged to provide names, addresses and birth dates when signing up for accounts where they can download updates, games, books and other content to personalise the VTech experience.
VTech said the hacker compromised its Learning Lodge app store, which provides content for children’s tablets, and its Kid Connect mobile app service that lets parents communicate with those tablets. According to Juniper, toys that gather data on the user, like VTech’s line of cameras, watches and tablets and their associated websites, will probably see further growth by 58% annually.
The South-East Regional Organised Crime cyber unit (SEROCU) said in a statement that it has since arrested a 21-year old man in Bracknell, located about 30 miles west of London, which is home to numerous tech firms. The man was detained on suspicion of unauthorized access to a computer to facilitate the commission of an offense. British police said several electronic items were seized and would be examined by SEROCU’s cybercrime unit.
A spokesman for the SEROCU’s said it had worked closely with partner agencies on the operation which focused on the hacking of applications belonging to VTech, and stated;
“A 21-year-old man was arrested today in Bracknell on suspicion of unauthorised access to computer to facilitate the commission of an offence, contrary to Section 2 of the Computer Misuse Act 1990 and suspicion of causing a computer to perform function to secure/enable unauthorised access to a program/data, contrary to section 1 of the Computer Misuse Act 1990”.
In Hong Kong, the office of the privacy commissioner for personal data, an independent body that oversees data privacy, said it is investigating how VTech safeguards personal data. In Britain, where 1.3 million accounts were compromised, the Information Commission’s Office, an independent data-protection body, said it is also investigating into the data breach.
“We are still at the early stages of the investigation and there is still much work to be done,” Craig Jones, head of the regional cybercrime unit said in a statement.
Source: Toons Online
For VTech’s case, they were ‘lucky’ in the sense that the hacker claims he does not intend to publish or sell the data stolen, but rather merely wanted to make the company aware of the extent of their dismal security. However, not all hackers may be as forgiving.
Digital products aimed at kids usually have far weaker security than other computer products. Hackers are very aware of the lack of security on toys and other Wifi-connected devices with the booming demand on more IoT devices and will continue to exploit these vulnerabilities. Shipments of toys that connect to the Internet will rise 285% over the next five years, according to estimates by UK-based Juniper Research.]
Additionally, it is not only the children’s data which is accessed in these hacks, but also their parents who often have linked accounts to their kids for guardian approval. The data taken from VTech could also be used to craft an attack on other web accounts used by the parents. Learning about a person’s lifestyle and family is already half the step to committing fraud using the victim’s details, or to answer password security questions like “what is your pet’s name”. Kids have no credit history and their parents generally are not checking their credit reports, making them easy targets. In the future, these harboured stolen data could be used to target kids when they came to creating their own online profiles and bank accounts, and no one would even know anything was wrong until that child applied for credit later in life.
Don’t be stupid! As much as possible do not disclose your children’s information on the internet! Your kids do not know any better about the big bad cybercrime world, so it is still parents who are responsible for their kids’ safety, and it is still up to parents to be aware of the risks of letting their kids on the Internet, and especially of putting personally identifiable information for the world to grab.
Source: The Internet Patrol
If you or your child has ever registered anything through any of the VTech sites, including:
…then you should contact VTech at whichever below email address is applicable to you:
Australia and New Zealand: firstname.lastname@example.org
Hong Kong: email@example.com
Other countries and regions: firstname.lastname@example.org
(Addresses updated by The Internet Patrol)
To read a really in-depth analysis of the VTech data breach, click here for a dissection of the hack by Troy Hunt.
 Wall Street Journal
 NBC News