In the last week the figures released from toymaker VTech surrounding the massive hack they have suffered is startling. The worst part about this hack is it shows that children are not immune to cyber crime. It is important to first realise the scale of this attack and just how many children have been affected worldwide. Below are statistics detailing how many individuals data has been leaked and in what countries along with if the data was that of an adult or a child. As you can see from the statistics below I have highlighted Ireland, the only reason for this is that I am Irish.
Country Parent Accounts Child Profiles
United States 2,212,863 2,894,091
France 868,650 1,173,497
United Kingdom 560,487 727,155
Germany 390,985 508,806
Canada 237,949 316,482
Others 168,394 223,943
Spain 115,155 138,847
Belgium 102,119 133,179
Netherlands 100,828 124,730
Republic of Ireland 40,244 55,102
Latin America 28,105 36,716
Australia 18,151 23,096
Denmark 4,504 5,547
Luxembourg 4,190 5,014
New Zealand 1,585 2,304
What I find the most frighting about all of this is that a particular VTech service known as Kid Connect was hacked and the information stolen. You may ask why is this frighting and I am going to explain why. Kid Connect is set-up to allow parents and their kids to communicate. That information includes kids head-shots and chat logs between parents and children. Most, if not all, of these cases, the logs, pictures, and recordings can be traced back to specific usernames, allowing anyone in possession of the hacked data to identify the people chatting as well as those in the pictures.
This may lead to a lot more unforeseen problems down the road but as it stands is just a very uncomfortable situation for parents to be in, and yet again starkly highlights the dangers for children in the digital age.
If you have been affected by this attack you might want to know what steps do you need to take now.
Luckily for you its coming up to Christmas so the VTech spin doctors are in full flight trying to somehow roll out reassuring and efficient damage control to save what's left of the companies reputation. In response to the attacks they have posted a very detailed breakdown of all of the events and the VTech response that can be found here. If you just want the main points I have pulled them out and you can find the below.
What kind of information are stored in the database?
Parent account information including name, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password.
Kids profiles include name, genders and birthdates.
Encrypted Learning Lodge’s contents including, Kid Connect’s profile photos, undelivered Kid Connect messages, bulletin board postings and Learning Lodge content (ebooks, apps, games etc).
Download sales report logs.
Progress logs to track kids games, for parents’ reference.
It does not contain any credit card information. VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
It does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).
Was any credit card information stolen?
No, our Learning Lodge website database does not contain any credit card information and VTech does not process or store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
Why do you need this customer information?
Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products. Customers need to set up an account for such transactions. The information is used to identify the customer and track their downloads. As customer safety and privacy are of utmost importance to us, we are making all necessary adjustments to our system security, which will include only storing such information as is required for our customers to download and enjoy our services. All other information will be deleted from our servers.
Is there anything I can do to better protect myself?
Whilst all personal customer passwords are encrypted, even encrypted data can be susceptible to skilled hackers, so we are advising you to immediately change your passwords on any other sites that may use the same email, secret question and answer, and password combination.
What is VTech doing to protect data stored on Kid Connect?
The Kid Connect service has been temporarily suspended. We are reviewing our security protocols and will delete all unsent messages before we restart the service.
How can I change my password or delete my Learning Lodge account and personal data stored on your servers?
No, our Learning Lodge website database does not contain any credit card information and VTech does not process or store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
Why do you need this customer information?
Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products. Customers need to set up an account for such transactions. The information is used to identify the customer and track their downloads. As customer safety and privacy are of utmost importance to us, we are making all necessary adjustments to our system security, which will include only storing such information as is required for our customers to download and enjoy our services. All other information will be deleted from our servers.
Is there anything I can do to better protect myself?
Whilst all personal customer passwords are encrypted, even encrypted data can be susceptible to skilled hackers, so we are advising you to immediately change your passwords on any other sites that may use the same email, secret question and answer, and password combination.
What is VTech doing to protect data stored on Kid Connect?
The Kid Connect service has been temporarily suspended. We are reviewing our security protocols and will delete all unsent messages before we restart the service.
How can I change my password or delete my Learning Lodge account and personal data stored on your servers?
As an precautionary measure, we have temporarily suspended Learning Lodge and Kid Connect service along with a number of other websites to conduct a thorough security assessment and whilst we implement additional security protocols. We will advise our customers of further action when the websites are ready to be reactivated.
When can we expect that Learning Lodge will be online again? Should I then register again?
We are working as fast as possible to resume our service. We will advise our customers of further action when the websites are ready to be reactivated.
Is it safe for my kids to play with the toys with Learning Lodge app? Could the hacker reach my kids through the devices, trace their activity or location?
Our investigation to date suggests the breach is on the server, not on the device itself. There is no evidence to suggest the toys are not safe at this time. We will continue to investigate and share more information as it becomes available.
Has there been any customer data found leaked on the internet?
We have no evidence that any of the data has been used or distributed criminally. Whilst all personal customer passwords are encrypted, even encrypted data can be susceptible to skilled hackers, so we are advising you to immediately change your passwords on any other sites that may use the same email, secret question and answer, and password combination.
