By now many of you will have heard about the recent cyber breach of toy maker VTech Holdings Ltd. Hackers were able to steal data revealing information about customers who downloaded children’s games, books and other educational content. What sets this breach apart from other high-profile data breaches in the past year is that much of this data provided information about the children that were using these games. Names, genders and birth-dates of these children have been compromised thanks to the breach.
“With fraud detection systems the way they are these days, most often if we have our identity used for opening a line of credit there are algorithms and other services in place that typically either identify or block the misuse of your credit,” says Chris Ensey, COO of Dunbar Security Solutions. “I believe strongly that what organizations that go after this type of data are attempting to do is find identities that don’t have a lot of credit history. You see a lot of breaches happen in colleges, where they gain access to large communities of individual identities that can be used to potentially open up new lines of credits or conduct other fraudulent uses like insurance fraud or fraudulent ID creation.”
VTech said in a statement that about 5 million customer accounts and related children profiles worldwide were affected. The breached database included names, email addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses, download histories and children names, genders and birth dates. The targeted database did not include credit card information, ID card numbers, Social Security numbers or drivers license numbers.
“With something like this we’re focused on the children, while not talking about the fact that the bulk of information lost was adult identities,” says Ensey. “There’s related tables of information in this breach that included children names, date of birth, genders, etc., which can be tied back to the parents through a simple use of Excel skills. Utilizing that and cross-referencing the data is where it becomes more impactful. If you know the location of these children, you have a picture of them, date of birth, gender – that’s information that dark parts of the internet would pay value for. And that’s a scary thing to think about.”
What does that mean? Worst case scenario is kidnapping, human trafficking, and other nefarious, real-world schemes. An unfortunate and sickening thought, but one that is real in the world we live in. More likely, though, the information will be used to trick people, such as pretending to have kidnapped a loved one and demanding ransom money, a scheme that has been used in the past. Or, perhaps even more likely, the information will be sold, held onto for several years until these children come of age, and then the identities will be used for fraudulent credit plays. At the very least, the information can be used to portray more legitimacy when trying to use the parent’s information for fraudulent reasons.