Analecta Cyber Company Blog: The VTech data breach shows kids are just as vulnerable to hacking

2015-12-21

The VTech data breach shows kids are just as vulnerable to hacking

VTech is a world leader of age-appropriate learning products. They are the creator of the Electronic Learning Products (ELP) category and the award-winning InnoTab, MobiGo, and V. Reader handheld toys.



Last month, the company disclosed that about 5 million of its customer accounts, including at least 200,000 accounts related to children, had been breached. A staff writer at Motherboard was the first one to report on the massive hack involving the toy maker. A security evangelist and developer at Microsoft then disclosed further details of the breach.

After the admission, the company's initial response was to stress that no financial data were accessed in the breach and therefore customers and kids are not at any risk. But that does not mean that the information accessed by the hackers had no value.

Further, it was also disclosed that other information from Kid Connect, a service VTech setup which allows parents and children to communicate, was also breached. Data exposed include children’s headshots and chat logs between them and their parents. This could mean that children involved may be identified by the hackers through other information they have gathered, putting those kids at risk.

Though VTech has taken down the kid’s portals and app stores, this measure does not eliminate the risk brought to those children.

The “security researcher” that discovered the breach informed Motherboard that he had no bad intentions for the data he had gathered.

Companies have a responsibility


Gaining access to sensitive information has become the normal target of hackers. And now, even innocent kids have been targeted. Even if the information  about children has less monetary value, the sensitive information may somehow be useful to hackers.

Therefore, in cases like this, the company should be held liable and should take full responsibility for the consequences that this incident may incur, especially when it comes to information involving children. Moreover, this should be taken into account in the process of strengthening laws particularly those concerning the protection of the children's online privacy.