Home  |  Sarah  |  Services  |  Blog  Contact

Friday, 04 Dec , 2015

VTech Breach -Data, Data Everywhere

Share this article

Cheryl Biswas @3ncr1pt3d on the huge potential impact linked to indiscriminate and careless data scooping and storage.

I haven’t written about the VTech breach, partly because it was too close to home, and partly because root causes are (or will be), depressingly familiar.

Almost certainly a symptom of how security is assessed, prioritised, funded, and therefore implemented in many, many, many retail firms. The god of money (especially in this madly-data-scooping, margin-squeezed, non-regulated sector), has big guns, and this time they’ve been turned on my kids. So a thank you to Cheryl Biswas, InfoSec I.T. Coordinator, Senior Writer and Business Development at JIG Technologies, for so eloquently representing the views so many of us share.

Data here, Data there, data data everywhere.  And no – it’s not funny

By Cheryl Biswas on LinkedIn

In the wake of the VTech  breach from last week big questions are being raised about Big Data. Which is good because this is a conversation we’ve needed to have for some time.  The data just keeps building and I hate to say this but any sense of control we think we may have over it, especially as regards our privacy, is illusory at best. Right now what I see is the Titanic sailing straight into a massive iceberg of insecurity.

It’s beginning to look a lot like what we don’t want for Christmas are those toys and gadgets that connect. Certainly not when you look at the rising numbers from the VTech breach: details, photos and chat logs on 200,000 kids and 5 million parents. You can’t just make that all better.

VTech left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. This data is from the company’s  Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet. In  online tutorials, the company encourages parents and kids to take headshots and use them in their apps.

Twitter was ablaze with commentary about how this impacts our most vulnerable sector: the kids.  Because there is no acceptable level of tracking or exposure when kids factor in. While one hacker demonstrated the extent of the VTech breach without abusing the data, the fact is that there are others out there who have no scruples. Attackers know our failings and weak spots. They’ve invested time, money and effort into finding these.  In the cyber realm, the Grinch doesn’t steal Christmas – he goes after identities.
 
In response, Mark Nunnikhoven recently wrote “The Attack Surface of Data”  here on LinkedIn Pulse. In it he re-establishes the point we all need to remember: Data=Risk. The more of it you have, the greater the value it is, then the greater your risk. But people keep putting more data out there, and storing it in places it can’t be kept safe.  Mark points out that, as we here know too well, security is an after-thought at best.  “Typically security teams are faced with dealing with the aftermath of collection decisions. That’s unfortunate because the easiest way to secure the data is simply not to every have it in the first place.”
He then proposes following “The Principle of Least Data,”

“An organization must collect and store only the data needed to complete their task”


The rest of Cheryl’s excellent post, with which I absolutely agree, is here

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...