VTech hack: What you need to know
Toy company's data breach could affect 5 million users, including parents and kids
This week, VTech, a Hong-Kong-based company that makes electronic learning products for kids, confirmed a massive data breach.
More than five million users' personal information was stolen, including that of Canadian parents and kids.
CBC Radio technology columnist Dan Misener explains what we can learn from this incident.
How did the VTech privacy breach happen?
VTech is the world's largest maker of cordless phones. But in addition to that, the company makes electronic toys and tablet computers for kids. Like many tablet makers, they have an online app store.
The VTech app store, which is called "Learning Lodge," lets parents and kids download apps, games, and other content onto VTech devices.
But in order to use VTech's app store, users need to create an account — and that's where the data breach occurred.
VTech confirmed that a few weeks ago that an "unauthorized party" accessed their database of user accounts. This week, they confirmed that the breach involved more than five million accounts, belonging to parents and kids, including information from Canadian customers.
The hacker claiming to be responsible also claims to have obtained photos from users, as well as chat logs, but VTech hasn't confirmed that.
What information was breached?
The good news is that according to VTech's press release, their database doesn't contain credit card information. So that means credit card details would not be included in the hacked information.
But for customer accounts — the kind of account a parent would set up — the database includes a lot of information, including names, email addresses, passwords, password reset questions and answers, IP addresses, mailing addresses, and the download history for an account.
The data breach also included kids' profiles on the store, which would include kids' names, genders, and birthdates.
How is this breach different than others?
Avner Levin, director of the Privacy and Cybercrime Institute at Ryerson University, says this breach is different because it involves kids' information — and it raises some questions about parents' responsibility.
"You really have to watch out and not sort of jump into all of these neat little ideas, of creating like neat little kiddie accounts. Stop and think — is that what you want to do?" he said.
"You're creating these digital footprints for your kids that are going to go and accompany them throughout life. So these are really questions that I think people have to stop and think about."
Levin said while he thinks the way VTech stored their data is problematic, it's also not a good idea to give VTech kids' information in the first place.
How likely is it we'll see more of these kinds of data breaches?
It seems quite likely, unfortunately.
Part of the VTech story is just how vulnerable their database was in the first place. In a post on his website, Troy Hunt, the security researcher who helped verify the VTech breach, said the company had some alarming security practices. He argued VTech did a poor job securing kids' data.
There's also a larger trend here — more and more objects in our homes becoming connected through the so-called "Internet of Things."
There are lots of companies that are great at making toys, or kitchen appliances, or televisions. But that doesn't necessarily mean they're also great at keeping personal data safe and secure.
What can parents do to help maintain kids' privacy?
Avner Levin, who is both a parent and a security researcher, says if your child is going to have an online account or profile, a little obfuscation is in order.
"Change the age, change the gender, change the name, change whatever you can so that you don't actually have a record of your child online with their real information that can then be stolen and used," he said.
VTech also says its reached out to every account holder via email, to let them know about the data breach.
They've also set up an email address Canadian customers can contact if they're worried about the breach. It's firstname.lastname@example.org.