Trouble in toyland: No industry is safe from a security breach

Going through a data security breach is unsettling. One of the worst parts of the process is learning the root cause of the initial intrusion. As the Verizon Data Breach Report shows, security floodgates frequently open as a result of an unexpected, overlooked error. This could mean a file saved to the wrong location, access permissions granted to an irresponsible user or even the failure of a process you hadn’t previously seen as a security risk.

For example: your kid’s toys.

Kiddicare, a toy company based in the U.K., recently announced it had been targeted with a phishing attack, and a portion of its data had been compromised. Although the company denies any credit card or financial information being involved in the breach, sensitive data– including phone numbers and residential addresses – belonging to 794,000 users may have been affected.

This is far from the first incident of its kind. VTech, a Hong Kong-based electronics company and one of the largest toy manufacturers in the world, was hacked in November 2015, in an incident that affected more than 6 million children and nearly 5 million parents across the world. Attackers collected massive stores of personal information – from names and IP addresses to birth dates and photos of children who used the program. Then, in the weeks following the VTech breach, I worked with Bluebox Security to uncover security flaws in Hello Barbie, a connected toy whose software component was manufactured by ToyTalk.

Toy manufacturers are prone to data breaches for a straightforward reason: many aren’t prepared to deal with the liability, and they haven’t taken adequate steps to protect their data. As connected technology becomes more pervasive among enterprises and consumers alike, it creates serious security implications that organizations in every industry must address.

Consider your own company’s security plan. Are you at risk for an unexpected breach, and if one were to occur, how would you respond? If you haven’t yet developed an incident response strategy, or you have one in need of an update, be sure to follow three best practices that can improve your overall vigilance and keep your sensitive data safe:

  • Respond immediately. Taking swift action in the face of a security threat – whether it’s a major breach or simply a scare – shows your customers you’re working to handle the situation and guard their data.
  • Approach your tech solutions with a hacker’s eye. In investigating the ToyTalk vulnerabilities, we found issues with authentication credentials, the toy’s affinity for connecting with unsecured WiFi networks and the app’s lack of self-defending behavior. Be sure you’ve tested the technology your company employs and your user access restrictions for every employee in order to avoid falling victim to such issues.
  • Take “relax” out of your data security vocabulary. When a source as seemingly innocuous as a child’s toy could threaten to take down your business, your company needs to respond by getting more serious about data security. Encourage employees to get educated about the evolving threat landscape, and work with solutions that can help your team look inside your data and keep its most valuable components safe.

For more security tips for device and data management, catch Andrew Hay’s upcoming session at Converge Conference in July.

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.