What parents need to know about the VTech cyber attack

vtech innotabFor young kids, tablets are now the most often-used device for going online. To keep kids safe on these devices, many parents are choosing a specialty tablet designed just for kids. These tablets typically have their own online store filled with educational apps and games. One of the most popular tablets for kids is InnoTab by VTech.

This past week, VTech, the maker of InnoTab and other learning toys, announced they had a security breach. According to VTech, someone accessed their customer database on their Learning Lodge App Store and Kid Connect and downloaded information from personal accounts.

This data breach is the biggest cyber attack targeting children’s information. These comprised accounts included personal information as well as photos and chat logs. VTech collected this data from families when they registered at Learning Lodge App Store and on other services.

vtech reg

The hacker was able to get access to  data, which included name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history as well as the child’s account information consisting of name, gender and birth date.

vtech kid reg

Motherboard was the first site to report the breach. The hacker contacted Lorenzo Franceschi-Bicchierai from Motherboard and shared the data with him. Troy Hunt, a security expert, first analyzed the data. On his site, he goes through how the data was collected and how the parent account relates to the child account. In the end, he states that VTech, “still have gaping holes that allow every kid to be matched with every parent.” Motherboard also reported the breach included photos as well as chat logs. This is a tremendous amount of personal information that can be tied together. For more details about the breach, Troy Hunt has an excellent post and Motherboard is continuing to update their website with new information.

With the boom in interconnected toys, toy makers are becoming technology companies. These companies are collecting and storing a lot of data. Arguably, they are acquiring information beyond what they need. The reason is data is valuable for marketing purposes. In its privacy policy, VTech says it shares this information “with our affiliate companies and with other companies who offer products and services that we think may be of interest to you.” Basically, anyone they want.

With tablets, smartwatches and Hello Barbies on wish lists, parents need to question how these companies are protecting their families’ privacy. Companies need to have strong security in place. Also, they should limit the exposure of data, especially children’s data. Even if VTech implements a robust security system, by sharing the data more widely with other companies, they are leaving it exposed on other sites.

According to Motherboard, this hacker does not intend to sell or publicly post the data. If this data was released, the risks included potential identity theft or targeted phishing campaigns. Thieves value a child’s clean credit record. Consequently, children’s identify theft is on the rise. Of course, there is the creepiness of knowing your child’s information, photos and conversations are available to anyone.

For now, there is not a lot families can do to protect themselves from a security breach.

Families can try to limit exposure by:

  • Setting unique and strong passwords

  • Creating a separate email for these accounts

  • Limiting the amount of information shared

  • Entering incorrect information when possible

VTech has shut down the Learning Lodge App store. They have also suspended accounts and contacted customers. Given the poor security on the VTech site, families should delete their accounts and remove their information even if it is not one the millions compromised.

For questions about the breach or your account, contact VTech at vtechkids@vtechkids.com