John Gunn, VP of Communications, VASCO Data Security International, Inc. says: "As security elsewhere increases, companies such as VTECH are becoming more attractive targets. Because they are not protecting payment data, the security measures they employee are simply much easier to defeat. The hackers will not benefit immediately from the stolen data, but they will use it for other attacks - they collected millions of username and password combinations and more than half of online users use the same password for all of their accounts, including their banking account. It’s another strong argument for using two-factor authentication everywhere."
Péter Gyöngyösi, Product Manager of Blindspotter, Balabit observes: "The VTech breach: sneak peek into the IoT security nightmare
"As it was reported by multiple sites, the Hong Kong-based toy manufacturer VTech was breached and a massive data dump containing the personal information and passwords of 4.8 million parents and their children became public. On top of being a massive security breach that involves under-aged kids, this incident showcases two things that can possibly go wrong if security does not evolve as the Internet-of-Things becomes more and more widespread.
"You need an account for everything. These kids wanted to play with a toy tablet. Their parents wanted to update the device every once in a while. Just as you don't want to set up an account to play with LEGO or to use your toaster, they probably did not want to do that for these VTech products, either. As more and more things are connected to and controlled through the Internet, it becomes less convenient or outright impossible to use a new tool without setting up an account. Having thousands of different accounts means there are thousands of places to steal your credentials from. Using single-sign-on services or a password manager to avoid password reuse becomes more and more important in a more and more connected world."
"Usability and manufacturing costs will always trump security. It is unrealistic to expect that security will ever be a priority in such consumer devices, especially in the cut-throat, fast-moving and highly seasonal market of child's toys. The excellent analysis of the breach done by security expert Troy Hunt [http://arstechnica.com/security/2015/11/when-children-are-breached-inside-the-massive-vtech-hack/] reveals that there were extremely basic problems with the security of these devices. Security was simply not a priority. Development had to happen fast, costs had to be kept low, and the user experience had to be fast and smooth as nobody wants to deal with complex IT problems after unwrapping a gift. This is not a unique situation, but hopefully, change will come, partly due to scandals like this. Manufacturers have to realize that these are not just toys but internet-connected cameras in the hands of underage children and design their security accordingly. And as users, we have to keep in mind that right now, security is a low priority for these devices and make concious decisions about what data we trust them with.
Children's Apps & COPPA Compliance Security Expert Beth Marcus, CEO and Founder, Playrific says: "People are focusing on COPPA compliance but don't know how to secure data, which is the single most important thing in protecting the child consumer. All too often, those companies interacting with kids to entertain them focus on outward trappings, and not the sustainable internal systems to prevent hackers from getting access to potentially life-changing info on kids. Through the data access structure, it's crucial to prevent various data pieces from being put together by any external player - even when parental permission in given.
"You have to break the link between the data and the child, and the links between the various pieces of the data vault containing different elements of the individual's data. When kids are involved, saying "sorry we didn't think about that" doesn't cut it. Hackers may never exploit data the way you think they might, that's why you can't risk having identifying information and behavior information tied together anywhere in the system at rest."
Jeff Hill, Channel Marketing Manager, STEALTHbits adds: "VTech is proud that no credit card or banking information was stolen, but ironically, the data that was stolen could potentially make this breach more damaging and dangerous over the long run. A stolen credit card can be cancelled, or at a minimum, its nefarious use by a criminal quickly discoverable by today’s advanced data analytics technologies. Personal information, however, like a child’s name, birthday, and home mailing address can be used by clever and patient cyber-criminals to compromise personal information over time using highly-targeted phishing attacks that leverage the initially-stolen information. Much more disturbing, however, is the potential for child predators to obtain and exploit the children’s information. Given this, let us all hope the attacker is being honest when declaring he has no intention to sell or otherwise make public the stolen data."