VTech Holdings is a Hong Kong-based company that specializes in making kid-friendly smart devices and connected toys. They were recently the target of the 4th largest consumer data breach in history on November 14th, affecting 4.8 million adults who used the Learning Lodge App Store, and over 200,000 children. Adults had their personal information including email addresses, passwords, security questions and answers, and download history, leaked. Videos, pictures, names, genders, and birthdays of children were also leaked. According to Motherboard, it’s possible to link children to their parents based on the images.
How could this have been prevented? Very simply, according to Troy Hunt. Apparently, SSL was nowhere to be found, all of this data was traveling over unencrypted networks, and only the most barebones password protection was used, which is basically no protection at all. Even the hacker was surprised, especially about the easy access to images of children (which will supposedly not be sold), saying: “Frankly, it makes me sick that I was able to get all this stuff. VTech should have the book thrown at them.” Luckily, no payment information was stolen.
So how does this impact the Internet of Things? Well, it emphasizes the importance of security yet again. Without even basic protections it’s very easy to seize the data traveling over the web. I have no doubt that soon there will be fearmongering cries of “Is the IoT dead?” of “Think of the children,” but I don’t think we need to be concerned about the Internet of Things in general. This seems to me to be an example of a company who went too fast, too soon, and didn’t make sure their breaks were working before getting in an accident. If we want the Internet of Things to grow, companies need to be involved in making sure connected devices are A. useful and B. secure, and consumers need to make sure we hold these companies accountable and choosing our purchases wisely.
You can find out more about what exactly was leaked, as well as VTech's specific failings, at Troy Hunt's blog.