Parents have been advised to boycott VTech following criticism of how it handled a cyber attack.
The company’s terms and conditions state that parents need to assume responsibility for future breaches, which puts the personal information of customers at great risk, especially at a time when many are still learning about the perils of cyber crime.
Many people still believe that cyber crimes are usually perpetrated through laptops and are not aware of how other devices can be compromised. Hackers are becoming increasingly sophisticated in recent years, with attackers now able to breach tablets, phones and an array of other hardware.
Over 6.3 million children’s accounts were impacted by a breach last year. Following the incident, which took place in November, criminals were able to access photos and chat logs.
VTech responded to the incident by explaining that it carried out a “thorough security assessment” and took down its app store and a number of other sites over the Christmas period.
What is VTech doing wrong?
Australian security expert Troy Hunt highlighted the dangers of VTech’s approach, explaining that the company “allowed itself to be hacked”.
Mr Hunt stressed that VTech continued running their system despite a number of flaws including an SQL injection risk, unsalted MD5 password hashes and a lack of SSL encryption.
He noted that customers can be exploited simply through a manipulated ID, elaborating that just ID information was needed in order to receive information on both parents and children. No authentication token is required. Instead, all is needed is a sequentially incrementing number.
Mr Hunt particularly took offense to the company’s claim that any information sent or received on the site may not be secure and may be intercepted or acquired by “unauthorised parties”.
In response to this, he wrote: “But it’s their responsibility to secure it! Look, I’m the first person to acknowledge that there are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility.
“Certainly that’s the expectation of the customer – that the information they provide will remain secure – and VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions.”
How can customers protect their personal data?
Ultimately, the security of personal data is the responsibility of a business rather than the customer, but there is much that can be done in order for customers to protect their information.
Firstly, all personal information needs to be properly protected with passwords regardless of whether it is offline or online. This way, it will be harder for cyber criminals to access your information.
As well as this, it is important that firewalls are always used and anti-virus programs are run frequently to make sure any malware is quickly removed.
It is important that personal information is not left out for unauthorised people to gain access to, either. By leaving notes or sheets out in the open, customers can often leave financial statements and documents in places where individuals can gain hold of them and commit cyber crimes.
One method could be the use of shredders, which will help to make sure that no personal information is left unguarded