Last week’s VTech hack, right up there as #4 in terms of the number of accounts breach according to the website https://haveibeenpwned.com/, is yet another example of organisations not getting the basics right. It seems to have taken a week for the breach to have been spotted, by a third party, and there is a lot of upset and anger amongst parents who have used the site.
As always, the precise details of the incident are not clear but going what has been said by reliable sources and the company itself there are a number of serious concerns.
- falling victim to a SQL injection attack, this is the online equivalent of leaving your door key under the plant pot by the front door. Even the most amateur of hackers can run effective SQL injection attacks. Whilst penetration testing by an independent organisation is the best way to test for this as part of a comprehensive assessment before going live with your public-facing website, companies should ensure that its developers and testers understand what SQL injection is and how to prevent it
- finding out about your breach from someone else, focussing completely on protecting the perimeter has long since been shown to be the wrong approach. The assumption should be that someone will get in and the new focus should include being able to spot them quickly when they do
- collecting more data than is necessary, some of the data that has been accessed is more than is necessary for the use that VTech really needed to put it to. In the EU, the new General Data Protection Regulation will be starting its run in period next year and over-collecting of data is one of the bad habits it is looking to eradicate. Statements in privacy policies like the data our organisation “collects include but is not limited to” will no longer be acceptable
- not having a defence in depth approach, there is no point in having separate data sets, in this case children’s’ details and their parents’ details, if it is straightforward to connect the two
- not looking after passwords and the information used to reset them, it seems that VTech were using an easy to break algorithm and weren’t even bothering to encrypt reset details. Attractive targets for hackers when they have got inside
- not communicating well with those who may have been affected, saying that you don’t collect credit information is little concern to parents worrying about data relating to their children now being exposed.
It looks like 2015 will end as it started with breaches that could have been prevented or, where prevention was not entirely possible, at least made difficult for the hackers.
# # #
Want to get help with Cyber Security before it's too late?
Looking for Cyber Security Services you can trust – used by Government organisations, the Police, and hundreds of UK private sector companies? Click through to 7Safe’s information pages:
You can speak to one of our experienced cyber security advisers in confidence on:
0870 600 1667