What VTech teaches us about the dangers of saying ‘so what?’ to data leaks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2015/12/05/what-vtech-teaches-us-about-the-dangers-of-saying-so-what-to-data-leaks/

It has been reported that over 5 million parents and 200,000 children have
had their personal details leaked in one of the largest consumer hacks we
have ever seen. As an information security professional with young
children, the bleeps of a VTech are a familiar backdrop to my weekends.

Fortunately however my children don’t have a VTech InnoTab device whose
customer data appears to have been compromised en masse which on a personal
level I can only be thankful for.

As security professionals we are typically challenged with the ‘so what?’
question – consumers and businesses ask us whether it truly matters if
one’s personal information is taken, they judge the consequence of a hack
based entirely on the monetary cost and one can see that being played out
by Vtech’s glib response of ‘no card data or financial information was
stolen’ – great!

However this slightly unapologetic response masks the true problem VTech
customers face; their children’s future online identities and possibly even
their real world ones are already at risk. Names, emails, parent
information, addresses, security questions were all poorly protected with
only a very basic level of encryption that the hacker described as
“trivial” to crack, and the children’s names were directly linked to their
parents accounts that contained further sensitive data such as postal and
email addresses.

This could be the data heist with the most significant potential for
long-term damage. The majority of fraudsters are worried about how long
their data can be used for; for example credit card data can be blocked
fairly quickly and adults are able to use credit reference agencies to
monitor unusual credit activity. However, in this case the children are
completely vulnerable. Luckily, the hackers are claiming they will not be
selling the data or using it for nefarious means but if they change their
minds this could result in a cybercriminal ‘buy and hold’ strategy. Not
only do the hackers hold vast amounts of email addresses that will almost
certainly be the target of spammers which they will be able to gain
immediate value from if they choose to sell, but any of the accounts where
children’s names can be linked to their parents could be providing them
with answers for future security questions already coupled with dates of
births and addresses – this is a treasure trove of long term value.

Fraud could well be timed over a period of years and criminals could well
take advantage of this data with even darker consequences, not necessarily
even for that exact child but for others. Imagine coupling this identity
information with pictures of the users and we have a real world problem.

People traffickers looking to steal identities, or even create them, could
do so now before the parents can react and have almost everything they need
to match data with a potential mark and start piecing together a fraudulent
identity for any number of ills.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!