As we go into the holiday shopping season, many questions arise about whether “smart toys,” which store sensitive data regarding children, are secure from hackers. Children are high-valued targets for hackers because they have clean credit reports and their credit histories likely won’t be reviewed for years until they apply for student loans or their first loans. This is the reason that data breaches involving children’s information are considered more dangerous than other data breaches. Therefore, heightened privacy concerns exist related to toys connected to “the Internet of Things,” as children and adolescents are now the fastest growing sector of identity fraud victims.
On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported it suffered a data breach on November 14, 2015. According to VTech reports, VTech did not learn of the data breach until November 24, 2015. Unfortunately, VTech manufactures “smart toys” and this breach involved the personal information of at least 6.4 million children in addition to the records of 4.9 million adult customers. VTech further reported that this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.
Even worse, sources are now reporting that other sensitive data, including photos, audio clips and chat logs, were also stolen from the children’s accounts. Surprisingly, this breach did not get publicized until a journalist was informed of the breach by the actual hacker. The hacker reportedly told the journalist that they planned to do “nothing” with the stolen data. The “hacktivist” is further quoted as saying, “Frankly, it makes me sick that I was able to get all this stuff.” In order to verify that they were the hacker, the anonymous person provided 3,832 image files to the journalist containing thousands of pictures of children and adults that used VTech’s software. The hacker also provided texts using the software that included, “Roses are red vilets [sic] are blue and I love you. Mommy and daddy,” and “You are my HERO!Daddy!100 percent!”
Law enforcement and security experts are already getting involved in VTech’s breach. Investigations of this breach are underway in Connecticut and Illinois. Security experts have cautioned that VTech and similar companies may experience further data breaches since “you have all these devices and devices that are connecting to the Internet by companies that don’t have the experience that older software companies do in securing their data.”
This latest breach at VTech demonstrates that data storage is no longer for amateurs. Toy companies can’t just dabble with the storage of sensitive information. These companies need to hire professionals, trained in working on cybersecurity issues, if data storage is not the company’s primary expertise.