Skip Tags

Popular Tags

Decorative icon

The Resource Center Online Security Issues & Protection | article

Hong Kong Based Toymaker VTech Experiences Hack—Leaves Children Exposed to Hackers

Technology's quickly growing reach has now started to leave children exposed to hackers through digital learning toys that can be compromised. This week, Hong Kong based toymaker, VTech, announced that the personal information of about 5 million "customer accounts and their related kids profiles worldwide" may have been compromised in a cyber attack.

The company first disclosed the breach of a customer database late last week, but did not specify how many people were affected until yesterday. The hacked database stored names, birthdates and genders of child users as well as adult user information like names, email addresses, passwords, security questions and answers for password retrieval, IP addresses, mailing addresses and download histories.

In a statement posted online, VTech confirmed that the database did not include credit card numbers or Social Security Numbers.

What's worse is that it may be possible to link stolen data about children back to their family's last name and home address, according to Troy Hunt, who runs a service that alerts consumers to data breaches. In an interview with Motherboard, a tech website, Hunt described the feeble security measures on VTech's websites and said, "That's very negligent. They've obviously done a really bad job at storing passwords."

Motherboard reports that the hacker that claims responsibility for the hack contacted them and provided them with the breached files. Motherboard then reached out to VTech who answered with an email:

"On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database," Grace Pang, a VTech spokesperson, told Motherboard in an email. "We were not aware of this unauthorized access until you alerted us."

The bottom line is this: not only was this a massive hack that could have serious consequences for the customers and children involved, but there is nothing we can do about a company’s security habits.

And privacy advocates say we can expect more breaches involving children. Companies are increasingly producing and marketing to children with toys high-tech toys that connect to the Internet. These toys allow companies to gather information from households when they're bought and set up and then while the kids are playing with them—making the market for these toys a veritable gold mine.

“Toy companies are rushing to cash in on the changing nature of childhood in the Big Data era, where Internet connected toys are linking children to a vast surveillance network,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “These playthings can monitor their every move, turning what should be innocent and pleasurable experience into something potentially more sinister.”

VTech isn't the only company making these toys. This holiday season, Fisher-Price has introduced its Smart Toy Monkey, described as an "interactive learning buddy" that "talks, listens and remembers what your child says." This season expect to see "Hello Barbie," which uses artificial intelligence to learn about and talk to your child. Mattel and ToyTalk, the makers of Hello Barbie, have assured customer that data will be heavily safeguarded, but even their privacy policy admits that they cannot guarantee the security of the data:

“We take reasonable measures to protect personal information in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration and destruction,” it reads. “Please be aware, however, that despite our efforts, no security measures are perfect or impenetrable and no method of data transmission that can be guaranteed against any interception or other type of misuse.”

As for now, Chester from the Center for Digital Democracy, has alerted the Federal Trade Commission in the hopes that they open a formal investigation into VTech for violating the Children's Online Privacy Protection Act, which was designed to help protect the privacy of children under 12.

What does this mean for us?

We're only too aware of how valuable a child's identity is to an identity thief, because they have no previous credit history and the crime can often go undetected for years. Exercising caution when buying toys like this for our children is essential. Consider limiting your child's time with the toy to minimize how much data the toy can access.

Ultimately, unless we completely avoid toys like this, there is very little we can do to prevent the exposure of our data in a breach such as this one, which is why it is crucial to engage in proactive measures to safeguard our privacy and identities.

An identity theft protection plan like Identity Guard can help you protect against identity theft and credit fraud by monitoring your credit files, public records and personal information, and alerting you to certain activity that may indicate fraud. You can also add kIDSure to your identity theft protection plan. With kIDSure you can rest easy while Identity Guard scours thousands of data sources, searching for information related to your child—if it finds activity that suggests someone is using your child's information as their own, you'll get an alert. Identity Guard also offers a service called Privacy Now that can help give you more control over your privacy. Privacy Now gives you personalized recommendations to better guard your privacy and minimize your risk of fraud, gives you access to tools to actively monitor and manage threats to your data, and will send you alerts when your level of risk changes.

Take charge of your life and protect yourself and your family—be vigilant, stay informed, and act.