UK authorities have arrested a 21-year-old suspect in connecton to the VTech hack that exposed the data of more than six million kids worldwide. The man was arrested on Tuesday in Bracknell, England and is being held on suspicion of “an offence, contrary to section 2 of the Computer Misuse Act 1990 and suspicion of causing a computer to perform function to secure/enable unauthorized access to a program/data, contrary to section 1 of the Computer Misuse Act 1990” according to SEROCU’s press release.
According to the official VTech FAQ “in total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts.”
By country the breakdown is as follows:
|Country||Parent Accounts||Child Profiles|
|Republic of Ireland||40,244||55,102|
If you are a parent you’re probably doing everything to protect your child. That’s the reason the latest trick Mattel pulled with their “Hello Barbie” dolls has not received the warmest of welcomes (at least here in Germany – but I’m sure elsewhere, too).
On the other hand you also want your kid to have the latest and coolest toys, right? And those often are more gadgety than ever before and involve lots of technology. That’s nothing bad per se but as so often, security for devices which require web access and online accounts is not what it should be – as can be seen when looking at the VTech Learning Lodge data breach.
VTech is a Chinese tech company that provides electronic learning products for kids. A sign up for their Learning Lodge online system is required for some of their toy’s features.
“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say “Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is,” says security expert Troy Hunt on his blog.
He goes on and explains the breach in length, mentioning that the data was barely if at all encrypted and that there was no SLL anywhere.
So how bad is the breach? Well, names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download histories are amongst the leaked information and around 4,8 million families from around the world are affected. But that’s not all: In addition the names of around 227,000 kids as well as their gender and birthdays are in the mix, too. Oh – and let’s not forget the kid’s headshots and private chat messages …
Data breaches are everywhere recenty. This one should make parents think about how much of their kid’s data they want to put on the internet though. Once it’s out there, everything could happen with it.