The VTech breach disclosed over 6 million instances of personally identifiable information for parents and children that subscribe to VTech products and services. With details still emerging, here are some thoughts from the Office of the CTO at BeyondTrust.
What are the potential implications of this breach?
It is not uncommon for web based services to require a parent / adult to authorize usage for a minor – especially for the target age of children using VTech products. The problem is not with data collected, but the potential parent-child relationship linkage that has been compromised and security information questions associated with the accounts.
Children are unfortunately easy targets for cyber criminals (a profile that we have not seen much of in the past) especially if there is address, parental informational, and security question challenge response data is known. If any of them have bank accounts, trust funds, etc. impersonating a parent would be a trivial matter since you expect an adult to be speaking on their behalf. With the relationship knowledge leaked, potential answers to security questions available, new attacks could easily evolve based on the available information.
As with any attack, what is the value of the information and how can it be used? In this case, it is much more than knowing where a child lives. It could have other more serious financial ramifications over even old school crimes like kidnapping for ransom if the people are wealthy or in a position of power.
This seems like something that should invite regulatory or legal scrutiny. Any opinions?
The leakage of generic information is currently not a crime under any government regulation. While modern laws require notification, penalties only exist for financial or health care information.
This case is a little different. It involves children. Protecting children and their information may fall under other privacy laws like FERPA (Family Educational Rights and Privacy Act) of 1974 since these toys are generally developed as educational tools but it is to be seen whether the context of a law written in the 70’s covers this type of breach. In my opinion, it should.
Does BeyondTrust have any recommendations?
A word for parents. When registering yourself and children for these types of sites and services, fill in the minimal information required and if it is not needed, don’t volunteer information. The less correlated information on the web, the better in case any one of these individual sites is compromised. Also, if you are in a situation where your child could be threatened, consider using an alias or nicknames for them. This would help establishing a direct link by name alone.
Morey J. Haber, Chief Security Officer at BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.