The VTech breach disclosed over 6 million instances of personally identifiable information for parents and children that subscribe to VTech products and services. With details still emerging, here are some thoughts from the Office of the CTO at BeyondTrust.
What are the potential implications of this breach?
It is not uncommon for web based services to require a parent / adult to authorize usage for a minor – especially for the target age of children using VTech products. The problem is not with data collected, but the potential parent-child relationship linkage that has been compromised and security information questions associated with the accounts.
Children are unfortunately easy targets for cyber criminals (a profile that we have not seen much of in the past) especially if there is address, parental informational, and security question challenge response data is known. If any of them have bank accounts, trust funds, etc. impersonating a parent would be a trivial matter since you expect an adult to be speaking on their behalf. With the relationship knowledge leaked, potential answers to security questions available, new attacks could easily evolve based on the available information.
As with any attack, what is the value of the information and how can it be used? In this case, it is much more than knowing where a child lives. It could have other more serious financial ramifications over even old school crimes like kidnapping for ransom if the people are wealthy or in a position of power.
This seems like something that should invite regulatory or legal scrutiny. Any opinions?
The leakage of generic information is currently not a crime under any government regulation. While modern laws require notification, penalties only exist for financial or health care information.
This case is a little different. It involves children. Protecting children and their information may fall under other privacy laws like FERPA (Family Educational Rights and Privacy Act) of 1974 since these toys are generally developed as educational tools but it is to be seen whether the context of a law written in the 70’s covers this type of breach. In my opinion, it should.
Does BeyondTrust have any recommendations?
A word for parents. When registering yourself and children for these types of sites and services, fill in the minimal information required and if it is not needed, don’t volunteer information. The less correlated information on the web, the better in case any one of these individual sites is compromised. Also, if you are in a situation where your child could be threatened, consider using an alias or nicknames for them. This would help establishing a direct link by name alone.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.