It has been reported that over 5 million parents and 200,000 children have had their personal details leaked in one of the largest consumer hacks we have ever seen. As an information security professional with young children, the bleeps of a VTech are a familiar backdrop to my weekends.
Fortunately however my children don't have a VTech InnoTab device whose customer data appears to have been compromised en masse which on a personal level I can only be thankful for.
As security professionals we are typically challenged with the 'so what?' question – consumers and businesses ask us whether it truly matters if one’s personal information is taken, they judge the consequence of a hack based entirely on the monetary cost and one can see that being played out by Vtech's glib response of 'no card data or financial information was stolen' - great!
However this slightly unapologetic response masks the true problem VTech customers face; their children's future online identities and possibly even their real world ones are already at risk. Names, emails, parent information, addresses, security questions were all poorly protected with only a very basic level of encryption that the hacker described as “trivial” to crack, and the children's names were directly linked to their parents accounts that contained further sensitive data such as postal and email addresses.
This could be the data heist with the most significant potential for long-term damage. The majority of fraudsters are worried about how long their data can be used for; for example credit card data can be blocked fairly quickly and adults are able to use credit reference agencies to monitor unusual credit activity. However, in this case the children are completely vulnerable. Luckily, the hackers are claiming they will not be selling the data or using it for nefarious means but if they change their minds this could result in a cybercriminal 'buy and hold' strategy. Not only do the hackers hold vast amounts of email addresses that will almost certainly be the target of spammers which they will be able to gain immediate value from if they choose to sell, but any of the accounts where children's names can be linked to their parents could be providing them with answers for future security questions already coupled with dates of births and addresses - this is a treasure trove of long term value.
Fraud could well be timed over a period of years and criminals could well take advantage of this data with even darker consequences, not necessarily even for that exact child but for others. Imagine coupling this identity information with pictures of the users and we have a real world problem.
People traffickers looking to steal identities, or even create them, could do so now before the parents can react and have almost everything they need to match data with a potential mark and start piecing together a fraudulent identity for any number of ills.
Andrew Barratt, managing director for Europe at Coalfire (opens in new tab)