Five million customers affected by Vtech database hack – experts comment

The BBC broke the news earlier this afternoon that Electronic toy and educational material seller Vtech has confirmed that about five million customers were affected in the data theft reported on Friday –

@DFMag received the following commentary from cyber security experts;

Mark Bower, global director at HPE Security:

“This breach exposes a weakness in regulations and programs to enforce them. There are regulations in place about the collection, storage and use of data involving children; but perhaps they need a rethink, as compliance may not be enough to protect today’s children’s data from advanced threats.

In the United States, the regulation is called COPPA “Children’s Online Privacy Protection Rule” which is regulated by the FTC. There are specific controls that must be adhered to in collecting and using children’s data, and several companies have been fined to date for non-compliance[1]. Breach of children’s data in itself has many serious risks, as you could imagine, and anyone collecting such data must take steps to protect it from advanced attacks as in this case.

The COPPA regulation relates to ensuring consent to collect data for the most part, but the rule is quite specific about limiting the disclosure of information. However, compliance to it may not take into account the inevitable breach scenario after which it’s too late. Programs designed to allow vendors to meet COPPA, like KidSAFE, don’t go far enough against modern attack vectors. KidSAFE requires only basic protections.

So, this breach shows how little the perimeter security controls offered by KidSAFE do in protecting the child’s data from breach risk. If the data itself is not secured, it is at risk of theft irrespective of access controls and firewalls. Breach after breach proves this beyond any doubt.

Perhaps this is a call to action to revise and enhance KidSAFE and COPPA in light of this breach. The risk can be mitigated easily today. Leading vendors who truly value the security of their customer, and more importantly sensitive children’s data, can get ahead of the attack and compliance challenges in one swoop by adopting modern data-centric security to secure the data in use, in motion and in transit – not just the increasingly translucent IT perimeter.


Reference to KidSAFE, that VTECH is a participant in:

[1] The actual safeguards required will depend on a variety of factors, including (among other things) the sensitivity of the personal information stored about children, the amount of personal information stored, the method of storage, and the size of the company operating the site or service.”

David Gibson, VP of strategy and market development at Varonis:

“Hardly a day passes now without a breach of some sort, and it makes those of us embedded in the security and data protection world wonder when organisations will demonstrate a sense of urgency.  Our observations suggest that businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. SQL injection is something everyone needs to protect themselves against. It’s so critical, that it’s the first module covered in a security course that Varonis and Troy Hunt teamed up to provide to the community — for free — here:

There are so many basic vulnerabilities that organisations need to address – external and internal – and even when you get the basics right, you still need to recognise that attackers will get inside, and insiders that may “break bad” are already there. When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time making sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.”

Gavin Reid, VP of threat intelligence, Lancope:

“It is terrible even thinking that these children have had their data exposed before they even know what it is. This is the new world order in privacy, where you should expect anything handed over to organisations to be exposed to at some point”.