Software Integrity Blog


The VTech toy hack: What you need to know

News recently broke that toy manufacturer VTech was breached, exposing over 6M records of customer data, some related to children. The news is generating concerns about the Internet of Things (IoT) and consumer privacy.

Putting personal information into a website is not new. People rarely walk into a bank, and online shopping is at an all-time high. Banking sites and shopping sites exist in regulated industries where security is a non-negotiable. Banks have large groups embedded in their development teams dedicated to securing applications on the web and mobile devices. Banks test applications regularly to identify and eliminate vulnerabilities exploitable for attack.

But a toy maker? Other than reputational risk, what drives VTech toward ensuring the data security? I know nothing about VTech, but my guess is that they’re most interested in turning out applications as quickly as possible. I can predict with near certainty that their investment in application security is a fraction of a bank or commerce site.

To a parent, information about their child is every bit as sensitive as their bank account number. But since most of our early interactions with online systems are banking or e-commerce, parents likely worked under the assumption that the data was handled with equal care as their bank account number or credit card data.

To be clear, this is not unique to VTech, they’re just one of the first to have their breach disclosed. This is a problem that will grow as the IoT grows in adoption, creating more data to collect and store. Which means that organizations will build more applications to collect that data.

Many of those things will collect personal data, photos, and other sensitive information and that data will be stored. But the organizations building those applications will have limited experience in securing those applications and few will be truly committed to protecting the data collected. The bad guys live for this confluence and will quickly find ways to exploit that data.

The infamous Target breach started with exploitation of an HVAC system—an IoT application, but most of us never interact with a commercial HVAC system. The VTech toy hack brought the problem to the 6M+ of the rank and file, and added the emotional component of data about children.

Now that we have your attention, prepare for more of these breaches as more things get connected, more data is collected, and application security continues to be ignored.

Learn more about the need for more secure IoT devices. 

More by this author