Officials of several U.S. states on Monday opened investigations into a massive data breach that occurred last month at VTech, according to press reports.
The award-winning Hong Kong-based maker of electronic learning toys for kids on Friday announced that its Learning Lodge database was breached in a hack attack on Nov. 14.
Learning Lodge lets customers download apps, learning games, e-books, and other educational content to VTech products.
The news first surfaced on Motherboard, which last week reported that the personal information of nearly 5 million adults and more than 200,000 children was exposed. The victims are primarily parents in several countries, including the United States.
Photos and chat logs were stolen from VTech’s Kid Connect service, which lets adults use smartphones to chat with kids using a VTech tablet, Motherboard reported Monday.
VTech initially played down the news, basically saying that on Nov. 14, an unauthorized access of customer data from its Learning Lodge website had taken place.
The company later admitted that it first learned about the breach last Tuesday, via a Canadian journalist’s email asking about the incident.
That triggered an internal investigation, which turned up “irregular activity” on its Learning Lodge website.
The news surfaced after the hacker responsible for the intrusion informed Motherboard of the breach and provided files containing the stolen data. The hacker claimed to have shared the data only with Motherboard.
Weak Protection
The hacker used an SQL injection to gain root access to VTech’s servers.
The data stolen includes names; email, street and IP addresses; passwords; secret questions and answers for password retrieval; customers’ download histories; and the names, genders and birthdates of children who used VTech’s apps.
The compromised data does not include Social Security numbers, driver’s license numbers, or credit card information and data, VTech pointed out.
The company has notified all victims and is securing its systems, it said in a Monday update on the breach.
The Learning Lodge passwords were protected with the MD5 algorithm, which is widely acknowledged to be weak, security expert Troy Hunt, who maintains the Have I Been Pwned? website, told Motherboard.
Further, the secret questions were stored in plain text. Security practices at VTech reportedly were inadequate on several levels. SSL Web encryption wasn’t used, and data was transmitted unprotected. Further, VTech’s websites leaked extensive data from their databases and APIs.
The Threat Level
The danger is that most people use the same emails and passwords for many of their online accounts, said Pter Gyōngyōsi, product manager at Balabit.
“In this world, losing the key to one account is losing the key to the kingdom,” he told TechNewsWorld.
VTech “is discounting the sensitive nature of the stolen data and vastly underestimates the value of a home mailing address, child’s name, date of birth or an email address,” remarked Jeff Hill, channel marketing manager at Stealthbits.
A credit card number “is less valuable” than that type of personal data, because it easily can be canceled, and anomalous purchases readily identified, he told TechNewsWorld.
The stolen data can be used to “develop targeted phishing attacks that can ultimately yield access to any number of personal accounts — credit card statements, banking accounts, 401K plans [and] healthcare accounts,” Hill said.
Risk to Children
VTech has been “colossally irresponsible,” said Beth Marcus, CEO of Playrific. “What would [it] consider personally identifying information? Shoe size — or a geolocated recent photo of a child?”
Kids are at greatest risk from people they know, or who appear to know them, she told TechNewsWorld, and they “don’t need additional information floating around to improve the ability of miscreants’ odds of successful impersonation.”
VTech needs to “decouple all information that identifies kids or anything about them from credential information everywhere in [its] system where it might be at rest,” Marcus advised.
The FCC attorneys working on COPPA “get [this], and are trying to shape rules to limit those risks without destroying opportunities for kids,” she added.
However, compliance with COPPA “may not take into account the inevitable breach scenario, after which it’s too late,” pointed out Mark Bower, global director of product management at HP Enterprise Data Security.
The KidSAFE program, designed to let vendors meet the requirements of COPPA, “requires only basic protections,” and doesn’t go far enough against modern attack vectors, he told TechNewsWorld.
COPPA and KidSAFE perhaps should be revised and enhanced, he suggested.
“This fight is worth fighting,” Marcus remarked. “There’s too much at stake. Imagine saying ‘really sorry we disclosed all that stuff about you when you were 10 — have a nice life.'”