VTech Hack Not Child’s Play

Sue Marquette Poremba
Slide Show

Reduce Data Breach Damage by Improving Detection and Response

Hacking children’s toys may not seem like a topic for a blog that focuses on security in the workplace or professional environments, but this story isn’t just about toys. It’s about the confluence of technologies and how security isn’t keeping up.

The Internet of Things has changed everything. So has cloud computing. Companies remain connected to devices and products after the sale. So when USA Today reports that "sensitive data including photos of kids and their parents along with ‘a year's worth of chat logs’ were impacted during a breach of a VTech database in November," we have to understand it isn't about the toys or the products themselves but that consumers don't realize how much control the company retains. This reminds me a lot of the Sony breach, when the information of its gaming system users was compromised, actually. Consumer security is in the hands of companies, and frankly, companies are blowing it.

According to eWeek, the folks at VTech had to admit that they failed in their security efforts in their databases. The article went on to explain:

The database weakness is related to a class of security vulnerability known as SQL injection. SQL injection is not a new class of vulnerability as it was first publicly discussed back in 1998 by security researcher Jeff Forristal. In a 2013 video interview, Forristal said he wasn't surprised that SQL injection is still a common vulnerability that is widely exploited.

This statement makes me wonder how many other products have similar hidden security threats, ones that the consumer may never know exist. I bet it never dawned on the parents that their children’s photos and personal information was at risk this way. As the Internet of Things becomes more prevalent, I’d expect to hear about more breaches like this. The VTech breach, however, raises alarm because it does involve the most vulnerable among us, as Carl Wright, general manager of TrapX Security, told me in an email:

It hits home for all of us when cyber attackers target our children's data and profiles. These criminals can breach networks such as VTech's and can operate invisibly, often for months, before they are detected. Corporations must move quickly to adopt new cyber defense strategies that assume attackers are already inside their networks. We must find them before they cause damage or steal confidential data.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

Add Comment      Leave a comment on this blog post
Dec 6, 2015 9:21 PM INOC | Outsourced Network Operations Center INOC | Outsourced Network Operations Center  says:
Hi Sue , I totally agree that consumer's security is in the hands of the company. The fact that they are asking our personal information, and our willingness to give them out to them, we should at least get an assurance that no other party will ever get a hold of them except for the company. VTech is just one among the many big companies that have fallen as a victim of these hacktivists. Hacking isn't a new phenomenon, and yet companies treats it as if it is, and their security remains vulnerable. This incident is particular because attackers usually attacks adults since they're the ones who has information that can be exploited. But targeting children? If you were to ask me, its the last straw that broke the camel's back. And I think its about time that these companies take action -- especially since its not just the company's data that is being compromise, but millions of innocent consumers who just want to consume a product. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.