Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

BeyondTrust’s thoughts on the VTech Data Breach

December 2, 2015

  • Blog
  • Archive
VTech Data Breach The VTech breach disclosed over 6 million instances of personally identifiable information for parents and children that subscribe to VTech products and services. With details still emerging, here are some thoughts from the Office of the CTO at BeyondTrust. What are the potential implications of this breach? It is not uncommon for web based services to require a parent / adult to authorize usage for a minor – especially for the target age of children using VTech products. The problem is not with data collected, but the potential parent-child relationship linkage that has been compromised and security information questions associated with the accounts. Children are unfortunately easy targets for cyber criminals (a profile that we have not seen much of in the past) especially if there is address, parental informational, and security question challenge response data is known. If any of them have bank accounts, trust funds, etc. impersonating a parent would be a trivial matter since you expect an adult to be speaking on their behalf. With the relationship knowledge leaked, potential answers to security questions available, new attacks could easily evolve based on the available information. As with any attack, what is the value of the information and how can it be used? In this case, it is much more than knowing where a child lives. It could have other more serious financial ramifications over even old school crimes like kidnapping for ransom if the people are wealthy or in a position of power. This seems like something that should invite regulatory or legal scrutiny. Any opinions? The leakage of generic information is currently not a crime under any government regulation. While modern laws require notification, penalties only exist for financial or health care information. This case is a little different. It involves children. Protecting children and their information may fall under other privacy laws like FERPA (Family Educational Rights and Privacy Act) of 1974 since these toys are generally developed as educational tools but it is to be seen whether the context of a law written in the 70’s covers this type of breach. In my opinion, it should. Does BeyondTrust have any recommendations? A word for parents. When registering yourself and children for these types of sites and services, fill in the minimal information required and if it is not needed, don’t volunteer information. The less correlated information on the web, the better in case any one of these individual sites is compromised. Also, if you are in a situation where your child could be threatened, consider using an alias or nicknames for them. This would help establishing a direct link by name alone.

Morey J. Haber

Chief Technology Officer and Chief Information Security Officer at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.