VTech hack: Four crucial takeaways for every parent and CEO

The hack was a catastrophic loss of data for parents and children, and could have been prevented had lessons from other breaches been learned.
Written by Zack Whittaker, Contributor
There hasn't been a hack on childrens' identities on this scale in years.
(Image via CBSNews.com/Twitter)

Three words you'll never want to hear: "You've been hacked."

For tech toy maker VTech it couldn't have come at a worse time, the Thanksgiving holiday, where millions rush to stores and the virtual shelves to buy the latest and greatest.

For millions of parents, there's likely little sympathy for the Hong Kong-based company, after a system weakness allowed a hacker to download tens of thousands of photos, voice recordings, and parent-child chat logs from millions of parents and children.

It's not clear exactly how far the hacker got into VTech's systems, or if there will be more to come in the next few days. The company did not return an email requesting comment on Wednesday.

The company is putting together the pieces of what's happened, and investigations are ongoing. With much of the pilfered data from European citizens, it's possible EU authorities will investigate.

Here are four takeaway lessons for parents -- and executives -- from this breach.

1. VTech's security was so bad, it admitted it

VTech took a somewhat remarkable step in admitting, flat out, that its database was "not as secure as it should have been" in its updated press release Tuesday, which added that 6.4 million kid profiles were stolen in the attack, a significant bump from the initially reported 200,000 figure.

Security isn't difficult, it just requires thinking about it -- both as a company and as a consumer.

"Security needs to be designed into the fabric of the service from the beginning. It cannot be bolted on as an afterthought," said Mark Nunnikhoven, vice-president of cloud research at security firm Trend Micro.

"Taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people," said Troy Hunt, a Microsoft MVP for developer security, who was credited in helping discover the hack alongside tech site Motherboard.

2. Too much data was at play. Was it necessary?

Attacking websites is child's play. Hacking child's data is a whole new game scarcely seen in cybersecurity circles -- in most cases because very few tech services are available to children.

In the US, the Children's Online Privacy Protection Rule (COPPA) is designed to regulate how much data is collected on children, but critics warn that the rule does "not go far enough" against modern attacks.

With so much data at play, you have to wonder why it was stored in a system that was accessible from the web.

Tod Beardsley, security research manager at Rapid7, explained in an email that the data was likely stored in a database that was accessible from the company's front-end website, which requires little work on a hacker's part. Hunt said on his blog that he believes the initial point of attack was due to an SQL injection attack -- a common website attack technique.

"Making photographs and chat logs accessible via the front-end of a web site is a risk for nearly any organization, as it makes a data leak with potentially sensitive and personal information much more probable," said Beardsley.

Though no credit card data and Social Security numbers were taken, a huge amount of other personal identifiable information -- such as photos, audio recordings, and chat logs between parents and their children -- was taken.

Data is like crack cocaine to companies, like surveillance is to governments, as one preeminent civil liberties lawyer once said. The more you collect, the higher the stakes, and the greater the problems if a hole is ever found.

3. Most companies are now tech companies. With that comes new responsibilities

Almost every company, from your local dry cleaners to schools and even toy manufacturers -- as we've seen in the VTech hack -- are now tech companies in some way, shape or form. Almost every company now takes in data, and its patrons and customers rely on a trust relationship to keep it safe.

"The challenge facing toy -- and device -- companies is that delivering an end-to-end service is quite complex," said Nunnikhoven, adding that many companies aren't thinking like tech companies, and put security out of mind and out of sight.

"For toy and device companies, the key is to not to reinvent the wheel. Building your own infrastructure and service backend is not only costly but you're more likely to repeat common security mistakes," said Nunnikhoven.

Hacks are the worst-case scenario for a lot of companies: stocks get hammered, investigations begin (and generally never end well), and consumer trust gets wiped out. The plus side is that people and companies learn from these mistakes, and firms hike spending in IT and security.

This will, on the bright side, send a "wake-up call to other family-oriented manufacturers to take special care in protecting the data they collect," said Beardsley.

4. The hack is over, but the aftermath could live on for years

In times like this, you would expect a hacked company to offer credit monitoring services or fraud prevention. It's a tough sell when the company didn't store credit card data or Social Security information, making it easier to steal identities.

"There are many opportunities here for fraudsters to use the data for account and login hacking, as people tend to re-use passwords in multiple places, and email/password pairings frequently give hackers access to multiple sites," said Diarmuid Thoma, vice-president of fraud and data at security firm Trustev.

"Nowadays it sometimes happens that sophisticated fraudsters use children's data later on, when they come of age, and establish a credit record or 'credit footprint' without the child even knowing it," said Thoma.

In any case, how do you protect against images, audio files, and chat logs of your children leaking to the web?

According to predictions by security firm Raytheon-Websense, more companies will run under the assumption that they are "already compromised" to help strengthen their ability to "deal with the inevitable."

As for VTech, there's some good news. In an interview with Motherboard, the hacker -- who worked closely with reporters and security experts after the hack -- said it was "never his intention" to sell the data on to a third party, like other hackers, who have immediately dumped the data online for anyone to peruse.

It's not clear how this will play out down the line. There hasn't been a hack on childrens' identities on this scale in years. You can bet your bottom dollar it will not be the last.

Editorial standards