For young kids, tablets are now the most often-used device for going online. To keep kids safe on these devices, many parents are choosing a specialty tablet designed just for kids. These tablets typically have their own online store filled with educational apps and games. One of the most popular tablets for kids is InnoTab by VTech.
This past week, VTech, the maker of InnoTab and other learning toys, announced they had a security breach. According to VTech, someone accessed their customer database on their Learning Lodge App Store and Kid Connect and downloaded information from personal accounts.
This data breach is the biggest cyber attack targeting children’s information. These comprised accounts included personal information as well as photos and chat logs. VTech collected this data from families when they registered at Learning Lodge App Store and on other services.
The hacker was able to get access to data, which included name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history as well as the child’s account information consisting of name, gender and birth date.
Motherboard was the first site to report the breach. The hacker contacted Lorenzo Franceschi-Bicchierai from Motherboard and shared the data with him. Troy Hunt, a security expert, first analyzed the data. On his site, he goes through how the data was collected and how the parent account relates to the child account. In the end, he states that VTech, “still have gaping holes that allow every kid to be matched with every parent.” Motherboard also reported the breach included photos as well as chat logs. This is a tremendous amount of personal information that can be tied together. For more details about the breach, Troy Hunt has an excellent post and Motherboard is continuing to update their website with new information.
With tablets, smartwatches and Hello Barbies on wish lists, parents need to question how these companies are protecting their families’ privacy. Companies need to have strong security in place. Also, they should limit the exposure of data, especially children’s data. Even if VTech implements a robust security system, by sharing the data more widely with other companies, they are leaving it exposed on other sites.
According to Motherboard, this hacker does not intend to sell or publicly post the data. If this data was released, the risks included potential identity theft or targeted phishing campaigns. Thieves value a child’s clean credit record. Consequently, children’s identify theft is on the rise. Of course, there is the creepiness of knowing your child’s information, photos and conversations are available to anyone.
For now, there is not a lot families can do to protect themselves from a security breach.
Families can try to limit exposure by:
Setting unique and strong passwords
Creating a separate email for these accounts
Limiting the amount of information shared
Entering incorrect information when possible
VTech has shut down the Learning Lodge App store. They have also suspended accounts and contacted customers. Given the poor security on the VTech site, families should delete their accounts and remove their information even if it is not one the millions compromised.