Lesson 12 - Security Breach Example 2
The high tech toy maker for children, Vtech, suffered a security breach to its database in November 2015. This breach could affect millions of customers around the world, including children. The data breach exposed sensitive information including customer names, email addresses, passwords, pictures, and chat logs.
A toy tablet had become a new target for hackers. The customers had shared photos and used the chat features through the toy tablets. The information was not secured properly, and the company website did not support secure SSL communication. Even though the breach did not expose any credit card information and personal identification data, the company was suspended on the stock exchange because the concern over the hack was so great.
Vtech did not safeguard the customers’ information properly and it was exposed during the breach. Even though the company informed its customers that their passwords had been hashed, it was still possible for the hackers to decipher them. The passwords in the database were scrambled using MD5 hash function, but the security questions and answers were stored in plain text. Unfortunately, MD5 hash function has known vulnerabilities. The hackers can determine the original passwords by comparing millions of pre-calculated hash values.
With the information exposed in this data breach, cybercriminals could use it to create email accounts, apply for credits, and commit crimes before the children were old enough to go to school. For the parents of these children, the cybercriminals could take over the online accounts because many people reuse their passwords on different websites and accounts.
The security breach not only impacted the privacy of the customers, it ruined the company’s reputation, as indicated by the company when its presence on the stock exchange was suspended.
For parents, it is a wake-up call to be more vigilant about their children’s privacy online and demand better security for children’s products. For the manufacturers of network-connected products, they need to be more aggressive in the protection of customer data and privacy now and in the future, as the cyberattack landscape evolves.