By: Michael O’Farrell, Ruaidhrà GiblinÂ
PRIVATE details of at least 30,000 Irish families have been exposed on the internet in a data breach that security experts have described as ‘terrifying’.
VTECH, a Chinese company which sells toys, gadgets and educational material for children, was hacked last month along with its online store Learning Lodge, where parents use personal information to download apps, ebooks and games for VTECH products.
The hacked data includes the names, email addresses, passwords and home addresses of 4,833,678 parents worldwide who have bought VTECH products in the past. But many more will have recently secured bestselling VTECH products for safe-keeping in Santa’s storehouse.
The data dump also includes the first names, genders and dates of birth of more than 200,000 children worldwide.
Experts have warned that the stolen data could be used by abusers to establish a conversation trail or even worse to ‘groom’ children online.
In Ireland, data belonging to 14,230 parents living in Dublin has been exposed, according to one cyber security expert, but this figure is expected to at least double when data from the rest of the country is analysed. It is not clear how many Irish children’s names have been exposed.
Crucially the type of hack was not particularly sophisticated, according to experts – leading to ‘fundamental’ questions over the security infrastructure at VTech.
Mark James, an IT security specialist with ESET, told the Irish Mail on Sunday: ‘Data breaches of any kind are bad news for all concerned but when minors are involved the potential dangers could be even worse.
‘We all talk about credit card details but immediate financial loss from most breaches is quite small. What’s terrifying here is the fact that children’s information has been stolen that could enable a third party to establish a trust relationship that may enable them to converse or even befriend these unsuspecting children.’ He said: ‘Birthdays, mummy’s, daddy’s and even grandparents’ names – if used for secret questions and answers – could all be used for communication that could establish a conversation trail, or worse grooming – not to mention the adults’ info being used for identity theft or credit card fraud.
‘Companies need to understand all data is private. They must take better measures to protect our data and not just financial information. VTech must take responsibility for what has happened and notify all the parents involved to explain the possible dangers and what to look out for.’ Professor Alan Woodward, cyber security expert at Surrey University, told the BBC that the firm may have been subjected to a simple hacking technique known as an SQL injection.
‘If that is the case, then it really is unforgivable – it is such an old attack that any standard security testing should look for it,’ he told the BBC. ‘If initial reports are correct they should be taking their website connection to their databases offline until they can discover how this was done.’ Mary Nicholson, head of advocacy at the Irish Society for the Prevention of Cruelty to Children, said the release of children’s data would be concerning and it was important VTech acted swiftly.
The prospect of information associated with young children was ‘really, really concerning’, she said.
Staff at Smyth’s toy store in Blanchardstown, Dublin, said VTech toys were one of their best sellers and very popular with three to six-year-olds. One staff member said tablets and mobility aids such as toys that children can walk around with were so popular ‘you’re better off getting them as soon as possible’ as they could sell out soon. It is the fourth largest data breach to date, according to experts. Troy Hunt, a cyber security expert, stated that ‘when it’s hundreds of thousands of children, including their names, genders and birthdates, that’s off the charts.
‘When it includes their parents as well – along with their addresses – and you can link the two and emphatically say, “Here is nine-year-old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is.’ VTech announced the breach on Friday and in a letter to affected customers wrote: ‘On November 24 we discovered that an unauthorised party accessed VTech customer data on our Learning Lodge app store customer database on November 14… ‘Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.’ Phone calls to VTech’s offices in Oxfordshire as well as their British PR representatives were not answered last night. Messages to a spokeswoman for VTech were not responded to.
It is understood that affected families reside in more than 15 countries around the world.
