1 December 2015

The Toy maker VTech has suffered an extremely large data breach, occurring on 14 November, making it one of the largest consumer data breaches (fourth biggest in history).  Not only is the extent of compromised customer data in the millions, estimated at nearing 5 million, but making this breach more of a concern is that much of the data compromised and stolen relates to children (200000 children). Moreover, that data can be used to make associations of children to parents to addresses etc., the potential security harm is huge.

VTech makes technology products for children, they include: cameras, tablets, computers, smart watches and interactive toys, etc.  The toys are very popular with parents of younger children and children, as can be seen by the sizable breach.

Although the breach is said to have occurred 14 November, it was only detected 10 days later.  Information that may have been compromised includes names, email addresses, encrypted passwords, secret question and answers for password retrieval, IP addresses, mailing addresses and download history.  Additionally, data including children’s names, dates of birth and gender was also stolen.  Although VTech have ‘assured’ customers that neither payment details nor personal I.D. information was stolen, the hackers can easily associate the range of other information that was stolen, rendering that information unneeded.

VTech has a website ‘Learning Lodge’, the app-store database, which was hacked.  The site acts as a gateway for customers, adults and children, to access and download content such as games and e-books to be used with the VTech children’s computers and tablets.  Since the breach occurred, the site has been disabled.

Questions are mounting with regards to the security of the toy maker’s website and the level of security utilised by VTech to secure the customers data processed on the site.  The level of encryption used is questionable and like a multitude of other organisations not all data seems to have been encrypted.

It is important that all data, not only sensitive and personally identifiable data, be encrypted.  If VTech had properly secured their data through encryption, all the data that was comprised would be of no use to the hackers.  Encrypted data is rendered illegible.

Encryption of data is critical.  Breaches will continue to occur; it is not acceptable for organisations to continue to gamble with the security of customer’s data.

Once again the importance of properly securing data through encryption is highlighted, unfortunately at the expense of millions of individual’s data which has been placed unnecessarily at risk.  The outcome could have been very different, although the attack would still have occurred, if the data was encrypted it would not be compromised.

Encryption of data is simple to achieve (Galaxkey achieves this effortlessly), failing to encrypt is no longer acceptable.  In the case of VTech, not even the security basics for protection against a cyber attack were present.  Furthermore, all communications were happening over unencrypted connections.

Security experts have warned that it is possible that connected toys could be targeted by hackers.

Failings for multiple IoT companies with regards to security 

This type of scenario stresses the potential failings for multiple Internet of Things (IoT) companies with regards to security.  Many companies strive to develop the products/devices that connect to the internet but the security challenges are not properly addressed.

A breach of this kind and this magnitude highlights the growing challengers of the Internet of Things (IoT), where products are designed to connect to the internet, thereby enabling communications with the user and the device, processing and transferring data in a manner that previously may have been unfounded.

The Internet of Things (IoT) is merging the digital and physical environments. It’s the next evolution in technology. We are seeing use of IoT in our homes, our vehicles, our children’s toys and throughout many industries.

It is anticipated that by 2020 there will be at least 50 billion devices connected to the Internet. For some time already, there have been more devices connected to the Internet than people.

The security concerns surrounding the Internet of Things penetrates all subsists as the opportunities for the IoT expand and the IoT become more prevalent in our every day lives. Majority of us, often unaware that this is even occurring, but these devices are processing large amounts of data and this is something that we must not underestimate, if we are to ensure security and safety.

We need to counter and understand the security risks; industries and consumers will want to acquire the endless opportunities obtainable through the IoT and we will need to approach security differently to contend with the new security challenges that this presents.

It should be noted that the security challenges don’t really change, they just take a different application. The pillars of security will still stand and be counted, Confidentiality, Integrity and Availability.

Multitudes of products/devices are being connected to public and private networks globally and with each connection an additional potential entry point and potential security concern is introduced, this endpoint could be used maliciously. These devices have the potential for connecting to and allowing access into many consumers and businesses networks if not secured properly.  Network security alone will not suffice.

Previous to the IoT, systems were considered isolated and thus secure however the IoT presents the ability for devices to communicate outside of these secure boundaries.

We need to counter the potential risk to personal safety, compromised privacy and security, the facilitation of attacks on other systems, enabling of unauthorised access and exploitation of personal information, all within very challenging environments and under varying and challenging scenarios.

The vast amounts of data brought about through this evolving technology, data processed, transferred, communicated and stored must be properly secured.  Data, irrespective of type and source, must be encrypted to guarantee it is secure.

For more information regarding the VTech breach: