Toy Company Data Breach Exposes Kids' Information
VTech, a popular manufacturer of children’s toys, has experienced a significant data breach which exposed the personal information of parents and their children. Almost 5 million customer records were affected by the breach of the Hong Kong-based company. As a result, adult users’ email addresses, home addresses, security questions and answers were released to the public as well as children’s names, dates of birth, and passwords. Motherboard reports that the hacker responsible for the breach also gained access to the child users' headshots used to create avatars, as well as chat logs between kids and their parents. Collectively, this breach has revealed a substantial amount of information about individual parents and kids as well as entire families.
Popular VTech toys include kids’ tablets, smart watches, and educational playsets, though it’s important to note that not only digital toys were affected by the breach: as noted by Ars Technica, “products such as the Cyber Rocket are physical products…which then encourage the creation of digital accounts. This creates a relationship between physical and digital assets by virtue of the Citizen ID.” Earlier this year, VTech’s Kidizoom Action Cam, Kidizoom Smartwatch DX and Write & Learn Creative Center were selected as the Best Children’s Products of 2015 by the influential Dr. Toy website.
The company has released a statement regarding the breach, reporting that the customer data that was lost had been housed on their “Learning Lodge app store database…Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.” They also provided email addresses that their customers could use to contact the company regarding the breach. The aforementioned Ars Technica article points to a lack of encryption on the part of the toy manufacturer which made the situation worse than it could have been: “Lack of cryptographic protection for sensitive data is yet another example of where it’s all gone wrong. Those security question and answer pairs are irrevocable pieces of personal information used to establish identity in all sorts of different places.”