I haven’t written about the VTech breach, partly because it was too close to home, and partly because root causes are (or will be), depressingly familiar.
Almost certainly a symptom of how security is assessed, prioritised, funded, and therefore implemented in many, many, many retail firms. The god of money (especially in this madly-data-scooping, margin-squeezed, non-regulated sector), has big guns, and this time they’ve been turned on my kids. So a thank you to Cheryl Biswas, InfoSec I.T. Coordinator, Senior Writer and Business Development at JIG Technologies, for so eloquently representing the views so many of us share.
Data here, Data there, data data everywhere. And no – it’s not funny
It’s beginning to look a lot like what we don’t want for Christmas are those toys and gadgets that connect. Certainly not when you look at the rising numbers from the VTech breach: details, photos and chat logs on 200,000 kids and 5 million parents. You can’t just make that all better.
VTech left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. This data is from the company’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet. In online tutorials, the company encourages parents and kids to take headshots and use them in their apps.
Twitter was ablaze with commentary about how this impacts our most vulnerable sector: the kids. Because there is no acceptable level of tracking or exposure when kids factor in. While one hacker demonstrated the extent of the VTech breach without abusing the data, the fact is that there are others out there who have no scruples. Attackers know our failings and weak spots. They’ve invested time, money and effort into finding these. In the cyber realm, the Grinch doesn’t steal Christmas – he goes after identities.
In response, Mark Nunnikhoven recently wrote “The Attack Surface of Data” here on LinkedIn Pulse. In it he re-establishes the point we all need to remember: Data=Risk. The more of it you have, the greater the value it is, then the greater your risk. But people keep putting more data out there, and storing it in places it can’t be kept safe. Mark points out that, as we here know too well, security is an after-thought at best. “Typically security teams are faced with dealing with the aftermath of collection decisions. That’s unfortunate because the easiest way to secure the data is simply not to every have it in the first place.”
He then proposes following “The Principle of Least Data,”
“An organization must collect and store only the data needed to complete their task”
The rest of Cheryl’s excellent post, with which I absolutely agree, is here