Dive Brief:
- Tech toymaker company VTech recently reported it was compromised by hackers on November 14.
- According to the BBC, the attack exposed sensitive information of up to five million VTech accounts.
- VTech says the attack exposed "general user profile information," including names, mailing addresses, and encrypted passwords.
Dive Insight:
Mark Bower, global director at HPE Security, said a breach that compromises the personally identifiable information of children, such as this, exposes weaknesses in programs and regulations intended to protect children online. Bower said such regulations "do little to guard against what happens to the data that is collected when a breach occurs."
"This breach shows how little the perimeter security controls offered by KidSAFE do in protecting the child’s data from breach risk," said Bower. "If the data itself is not secured, it is at risk of theft irrespective of access controls and firewalls. Breach after breach proves this beyond any doubt."
Surrey University cyber security expert Professor Alan Woodward told BBC that the firm may have been subjected to a simple SQL injection, which allows access and editing to data.
"If that is the case then it really is unforgivable - it is such an old attack that any standard security testing should look for it," Woodward said. "If initial reports are correct then they should be taking their website connection to their databases offline immediately until they can discover how this was done and correct the issue. They also need to be alerting the parents as soon as possible, with particular emphasis on how their children might be approached using this type of data."