Last week, an attacker stole data on millions of individuals from VTech, a company that sells Android-powered tablets and other toys geared toward children’s learning. The hack, illuminates how much data we trust to mobile device and software providers — even when we’re using PCs.
Parents use VTech’s Learning Lodge app store to purchase apps, games, eBooks, and more for their children’s devices through a PC-accessible website. The attacker abused it to steal customer names, email addresses, encrypted passwords, security questions and answers, IP addresses, mailing addresses, children’s gender, birthdates, and download history.
So, why would a company that creates mobile devices and software for children’s educational playtime have that kind of information? Because we find mobile devices, and the experiences they offer, valuable enough to provide it.
In this case, VTech’s tablets and toys provide educational play for kids. We trust these devices with our information because they provide us a valuable service in return. In this case, VTech’s tablets and toys provide educational play for kids.
It’s important, however, to realize that mobile devices, PCs, and more are all deeply connected because of the cloud. Information on one device is rarely siloed to that device, or that device-type (e.g. PC, smartphone, etc.). In other words, when you’re using an app on your smartphone, the data that app collects or accesses winds up in systems accessible by multiple types of devices, just like the data collected or accessed on a PC could end up in a system also accessible by mobile devices.
We need to recognize just how much information is being provided to mobile device and software operators — even down to our children’s toys. These aren’t just small screens, they’re complex, connected computer systems to which we trust much information about our lives. Indeed, as it comes to cybercriminals, it’s usually not the device they care about, but rather the data.
If your information was taken as a result of this hack, there are a few things you can do:
- VTech has already contacted all affected individuals. If you want to contact VTech directly, the company has provided email addresses for a number of countries, including:
- US: email@example.com
- UK: firstname.lastname@example.org
- Australia and New Zealand: email@example.com
- Hong Kong: firstname.lastname@example.org
- Other countries here
- Change your and your children’s passwords immediately, especially if you share passwords across accounts. Sharing passwords is a security don’t-do.
- Though credit card information, social security numbers, and other ID numbers were not stolen, according to VTech, you should still watch your bank accounts for suspicious activity, in the case that you used the same password for VTech as you did for your bank.
- Retire your usual security questions and choose new ones. Unfortunately, the cat’s out of the bag on your first pet’s name.