Let’s face it, in today’s cyber landscape adults know there are risks involved in putting our personal information online. Our data – from credit card information, to email accounts – is worth a lot of money to hackers.
Children, on the other hand, don’t have the same sort of information up for grabs. But that doesn’t mean their personal data isn’t valuable to criminals.
The massive data breach affecting electronic toy and education company VTech is shedding light on how kids can be targeted by cyber-criminals before they are old enough to control their own online accounts.
On Wednesday, the company confirmed more than 10 million customer accounts – including 6.3 million children’s user profiles – were affected by the data breach worldwide.
Over 316,000 Canadian kids’ accounts are said to be affected.
The breach affected the company’s Learning Lodge app, which allows customers to download apps, games and educational content to VTech products. The database contained parents’ personal information, as well as kids’ profile information, including names, genders and dates of birth.
It’s also alleged hackers were able to obtain children’s profile pictures, as well as chat logs between kids and parents.
But that basic information is enough to put kids at risk for identity theft, according to experts.
“Even though there was no parent credit card information stolen, criminals can take that basic biographical information and pretend they are the child to commit identity theft,” said Avner Levin, director of the Privacy and Cybercrime Institute at Ryerson University.
“Kids could be impacted with bad credit ratings and big difficulties down the line.”
Security expert Jessy Irwin was also quick to dismiss claims that children’s data “is worthless.”
“Look, we’re all bad at valuing our data. Saying kids’ data is worthless, won’t get hacked isn’t OK. Their identities have worth,” she tweeted after news of the hack broke.
“Trusting that people won’t hack something because it is worthless should not be a security or privacy strategy. Ever. Especially for kids.”
Levin warned there is also a big aspect of safety and security of children when it comes to this breach, now rated the fourth-largest consumer data breach to date.
“You can imagine a scenario, when these images start to circulate, that people who prey on children – now have the ability to get basic information about them – where they live, what they look like,” he said.
“In the real world we tell our children not to talk to strangers – but this is like we are exposing them here, through this lapse of security, to potentially coming up to them and gaining their trust.”
What can parents do to protect their kids
Experts are now using the VTech breach as a good example to point out just how much information about their children parents are voluntarily handing over.
“Parents do a lot of posting and sharing of information about their kids online without putting a lot of thought to it,” Levin said. “You are posting a lot of information about your children that will have an impact on their lives and who they are as they grow up.”
The privacy expert suggests parents seriously weigh the pros and cons about using gadgets that require online accounts and personal information to operate.
“Besides the ‘cool factor’ why do you want to do it as a parent? What do you and your child get out of it? Does it really weigh in favour of using it when you see all the possible security risks,” he said.
If the answer is “yes,” there is no harm in using false information when creating an online profile for your child. In fact, many people used fake names or email addresses when creating Ashley Madison profiles, which turned out to be a saving grace for some when the website was hacked.
Of course, when it comes to their own personal data, anyone who might be affected by the VTech breach is urged to change their password on any other site that uses the same email and password combination.
But, as Levin points out, there is still a lack of accountability on the company’s part when it comes to this type of breach.
“We don’t have the right legal tools to go after these companies when something like this happens,” he said. “There is no fine or sanction that authorities are able to impose on them to hurt their bottom line. Maybe this is the breach that will help move us in this direction, but it demonstrates that we don’t have the ability to hold companies accountable at the end of the day.”