Smart Toys Put Children and Parents at Risk of Data Breaches

Internet-connected smart toys, a popular holiday gift item, have vulnerabilities that put both children and parents at risk of data breaches and identity theft.

Internet-connected smart toys, a popular holiday gift item, have vulnerabilities that put both children and parents at risk of data breaches and identity theft.

Smart toys, which connect to the internet and offer children a personalized, interactive play experience, were a very popular gift item this past holiday season. However, the interactive features of smart toys – such as the ability of the toy to remember a child’s name and birthdate, or even track their location – are made possible because the toys connect to the internet, just like all other IoT devices. Meanwhile, the cyber security of IoT devices and the information they collect are in serious question, and smart toys are no exception.

Internet-connected smart toys, a popular holiday gift item, have vulnerabilities that put both children and parents at risk of data breaches and identity theft.

Smart Toys as Cyber Weapons

Child identity theft is a very serious problem. A 2012 study commissioned by the Identity Theft Assistance Center found that 1 in 40 U.S. households with minor children (under age 18) had at least one child whose personal data had been compromised. Cyber criminals have no moral qualms about targeting even the youngest children. In fact, child identities are worth more than adult identities on the black market because thieves can often use them for many years before the victim realizes what has happened. Adults may discover that their identities have been stolen fairly quickly, such as after their credit card company alerts them of suspicious activity on their card. Minors, conversely, may not find out they have been victimized until they apply to college or attempt to rent their first apartment, only to find that their credit has been ruined.

Smart toys are the perfect vehicles for child identity theft because of the personal information they collect, including children’s full names, gender, street address, and birthday. Parents are at risk as well, since many smart toys require parents to provide their own information and even a credit card number to enable certain features. Additionally, since smart toys connect to parents’ home WiFi, they are subject to the same cyber intrusions as computers, routers, and all other connected devices; hackers could potentially get into a home network through a child’s toy and make their way to the parents’ computers.

Connected toys have already been hacked. In 2015, VTech, a manufacturer of smart toys and baby monitors, was breached, exposing the personal data of over 5 million parents and approximately 200,000 children. Shortly before Christmas in 2016, Senator Bill Nelson (D-FL) cited the VTech hack, as well as security vulnerabilities in other children’s IoT devices, when he called on the Federal Trade Commission to “carefully monitor” smart toys and demanded that manufacturers properly secure them. Among the other issues Senator Nelson’s investigation uncovered were vulnerabilities in a GPS watch manufactured by hereO that allows parents to track their children’s locations and a “Smart Toy Bear” from Fisher-Price that records what children say to it.

What Parents Can Do

Some consumer groups are so alarmed that they have advised parents not to purchase smart toys until manufacturers can properly secure them. At the very least, the following precautions should be taken:

  • Change the toy’s default login credentials immediately after purchasing it. Make sure to choose a unique, strong password.
  • Do not provide a smart toy with any personal data on yourself or your child, such as addresses or birth dates, and turn off any cameras, voice recording, or location-tracking features.
  • Make sure to download and install security updates for the toy’s software as soon as they are released. Be aware that manufacturers may stop supporting the toy with security updates once a new model has been released; at that point, it’s best to disconnect the toy.
  • Do an internet search on the toy’s manufacturer. If they have already experienced a data breach, consider returning the toy to the store.

What Manufacturers Should Do

The cyber security experts at Continuum GRC agree with Senator Nelson’s proactive cyber security suggestions for smart toy manufacturers, such as:

  • Limiting the amount of data collected to only that which is absolutely necessary for the toy to operate, and retaining children’s and parents’ personal data only for as long as absolutely necessary.
  • Making cyber security an integral part of a smart toy’s software development lifecycle, not an afterthought. Smart toys should have strong cyber security measures built into them from the beginning.
  • Continually reassessing the threat landscape and reevaluating the cyber security of individual toys, as the cyber threat landscape is dynamic, and new threats are continually emerging.

Smart toys and other connected devices used by parents and children are here to stay. The manufacturers of these devices have a responsibility to their customers and the general public to ensure that their products cannot be used as cyber weapons and vehicles for child identity theft.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

[bpscheduler_booking_form]

The Six Worst Data Breaches of 2016

As 2016 comes to an end, we look back at six of the year’s worst data breaches and what went wrong.

As 2016 comes to an end, we look back at six of the year’s worst data breaches and what went wrong.

It seems like not a day went by this year without reports of yet another major data breach, or two or three data breaches. From healthcare to fast food to adult entertainment, no industry was spared the wrath of hackers. Even the U.S. presidential election ended up being impacted by cyber security concerns, both real and perceived. Here, we review six of 2016’s worst offenders and what went wrong.

As 2016 comes to an end, we look back at six of the year’s worst data breaches and what went wrong.

1. The Yahoo Data Breaches

What happened: Three months ago, Yahoo disclosed that it had fallen victim to the biggest security breach in history, which compromised 500 million user accounts, resulted in at least 23 lawsuits, and put the company’s planned acquisition by Verizon at risk. As if that weren’t bad enough, last week, Yahoo announced that it had uncovered yet another breach, this one involving a staggering 1 billion accounts and casting another dark shadow over the Verizon deal.

What went wrong: Yahoo is paying the price for spending years putting “the user experience” ahead of cyber security. Afraid that strong security measures would annoy its end users, Yahoo continued to release products that it knew were vulnerable to hacks. While social media networks are full of memes expressing consumer annoyance at security requirements such as strong passwords, it’s far better to risk annoying customers than to leave their personal information open to data breaches.

2. The DNC Email Hack

What happened: The 2016 U.S. presidential race was already shaping up to be one of the most contentious in modern history when, in an echo of the 2014 Sony Pictures email hack, WikiLeaks released a number of damaging emails stolen from the Democratic National Committee’s email server. While most of the messages consisted of boring, routine correspondence, others were quite scandalous, including what appeared to be messages written by high-ranking party officials plotting to discredit candidate Bernie Sanders and planning to reward high-dollar DNC donors with federal appointments had Hillary Clinton won the election. In the end, the scandal forced the DNC’s chairperson, CEO, and communications director to resign.

What went wrong: Among other missteps, the DNC chose to run its own enterprise email server. This is almost always a bad idea, as most organizations simply do not have the monetary and human resources to properly secure one. While outsourcing enterprise email to a provider such as Google is not a guarantee against data breaches, it’s a good proactive step to tilt the odds in the organization’s favor.

3. The Wendy’s Point-of-Sale System Hack

What happened: At nearly the same time Wendy’s announced it would be switching from human clerks to automated ordering kiosks, the fast-food giant disclosed that its existing point-of-sale systems had been hacked, compromising customer credit card information from 1,000 of its locations in the U.S. In a [failed] attempt to deflect responsibility, Wendy’s implied that the data breaches were not the company’s fault because “only” independently owned franchises, not company-owned locations, had been breached, and that the franchisees were the bad guys because they’d chosen the wrong third-party providers to service their POS systems.

What went wrong: In addition to trying to pass the buck, which is a bad idea on numerous levels, a class action lawsuit against the company on behalf of dozens of credit unions alleges that the company, similar to Yahoo, knew that its POS systems had security problems but declined to address the issues. As the old saying goes, the first step to solving a problem is admitting that you have one.

4. The SWIFT Network Attacks

What happened: The SWIFT Network, a proprietary messaging system that banks around the world use to communicate with each other, was thought to be one of the most secure systems on Earth – until hackers managed to get into it by breaching user banks’ systems, accessing their SWIFT credentials, and requesting billions of dollars in fraudulent money transfers. Most of these were caught and flagged, but about $81 million, from a bank in Bangladesh, went through. The hackers behind the attacks are still at large, and SWIFT, as well as banks around the world, remain at risk of similar heists.

What went wrong: The methods used by hackers to breach the user banks’ systems were not new or particularly sophisticated; it appears that they used email phishing schemes to steal login credentials from unwitting bank employees. Many security experts believe that SWIFT may have been dependent on “security through obscurity.” Before this year’s hack, few people outside the finance world had even heard of SWIFT. Unfortunately, the internet has brought even the most obscure technology into the light, and organizations can no longer depend on their systems being un-hackable because “nobody has ever heard of them.”

5. The FriendFinder Networks Data Breaches

What happened: What could possibly be more embarrassing than having your political party’s dirty laundry aired by WikiLeaks? Having your account on the “World’s Largest Sex and Swinger Community” compromised. In October, FriendFinder Networks, the owners of numerous adult-oriented websites, disclosed that 412 million user accounts from six of its sites had been exposed, most of them from a swingers’ dating site called Adult FriendFinder. In addition to breaching user data, hackers also accessed source code and public/private key pairs.

What went wrong: Apparently, FriendFinder Networks learned absolutely nothing from the 2015 Ashley Madison hack. It stored its users’ email addresses and passwords in a wildly insecure manner, as plain text and converted to all lower-case. Because it engaged in few, if any, proactive cyber security measures, FriendFinder was a data breach waiting to happen.

6. The Hollywood Presbyterian Medical Center Ransomware Attack

What happened: While not technically a data breach, the ransomware attack on Hollywood Presbyterian Medical Center, which occurred in February 2016, set the stage for a spate of similar attacks on medical facilities in the United States, Canada, and the U.K. Hackers used ransomware to disable the hospital’s entire network, including its electronic health records (EHR) system. Desperate to get back in, the facility paid a $17,000+ ransom in Bitcoin. This greatly incentivized hackers by proving that they could easily extort big paydays from healthcare organizations.

What went wrong: It is believed that the Hollywood Presbyterian attack, like most ransomware attacks (and data breaches) occurred after hackers got hold of legitimate system login credentials, possibly through a phishing email or another social engineering scheme, then used them to get into the hospital’s systems and install malware. The healthcare industry is notorious for not providing its front-line employees with cyber security awareness training or taking other proactive steps to prevent ransomware attacks and data breaches.

Let’s hope that 2016 was the year everyone finally learned their lesson about the importance of proactive cyber security, and 2017 will be the year when organizations strike back against hackers.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

[bpscheduler_booking_form]

5 Ways to Protect Your Retail Store from Data Breaches

Both brick-and-mortar and ecommerce retail stores make attractive targets for hackers, especially during the holidays.

The 2016 holiday shopping season is in full swing, and fortunately for retail stores, consumers are not hesitating to reach for their wallets: Cyber Monday sales hit a record of $3.39 billion, surpassing estimates, and Thanksgiving and Black Friday receipts rose year-over-year by 11.5% and 21.6%, respectively.

5 Ways to Protect Your Retail Store from Data Breaches.However, not all is merry and bright for retailers. Retail stores are favorite targets of cyber criminals, especially during the holiday shopping season, when brick-and-mortar and ecommerce stores are flooded with customers, many if not most of them paying with debit or credit cards. Target’s POS system was attacked by hackers during the Christmas shopping season in 2013, in what turned out to be one of the largest data breaches in history; the company ended up paying out well over $100 million to settle lawsuits from banks and affected consumers. Just a few months ago, clothier Eddie Bauer discovered that all of its U.S. and Canadian stores were infected with malware. Neiman Marcus, Home Depot, and Wendy’s have also been hit with major POS data breaches.

It is far better for retailers to prevent hacks in the first place than to scramble to clean up the mess afterwards. Whether you operate a brick-and-mortar retail store, an ecommerce site, or both, here are five proactive cyber security tips to protect your store during the holiday season and throughout the year.

1. Make sure your store is PCI DSS compliant.

All major payment card issuers require that the retail stores that accept their cards be PCI DSS compliant. Additionally, some states have data privacy laws with standards that mirror PCI DSS or that explicitly mention PCI DSS. If your POS system or ecommerce site is breached, and your store was not PCI DSS compliant, you risk running afoul of your state’s laws, you may become embroiled in numerous class-action lawsuits from banks and consumers, and the credit card companies could impose fines amounting to tens or hundreds of thousands of dollars. If you do not or cannot pay the card issuers’ fines, you will no longer be permitted to accept their cards. While PCI DSS compliance alone will not protect you against breaches, compliance with this important data standard is the first step to a comprehensive data security plan.

2. Be sure to address the special security issues of POS terminals.

Brick-and-mortar retail stores with POS terminals have specific cyber security needs. Among other things, none of your POS terminals should be connected to a public WiFi network, your terminals must be monitored for card skimmers and other tampering and, no matter how tight your budget, you must purchase new POS systems from a reputable dealer. See this blog for more details on protecting POS systems in brick-and-mortar stores.

3. Train all of your employees, including temps, on cyber security best practices before letting them touch any of your computers.

The media portrays hackers as mysterious hooded figures sitting in dark rooms, tapping away at a keyboard as they hunt for “back doors” into networks. In reality, most data breaches are the result of hackers obtaining legitimate login credentials, often using social engineering schemes such as phishing emails or leaving malware-infected flash drives laying around for employees to pick up and insert into machines. All of your retail store’s employees, including temporary workers, must be trained in cyber security best practices before they are allowed to do any work on a computer, including a POS system. This training should include instructions to immediately report all suspicious emails or any other activity that just doesn’t seem right to a supervisor.

4. Keep all of your systems up to date.

This should go without saying, but many retail stores and other businesses fail to update their operating systems, software, and firmware on a regular basis. Because new threats emerge daily, and the updates often include security patches addressing the latest dangers, this leaves them open to cyber threats. Updates must be installed as soon as possible after they are released.

5. Restrict employee system access as appropriate.

No employee, whether permanent or a temp, should be given more system privileges than they absolutely need to do their job. For example, there is no reason that a packing and shipping employee needs to access employee tax data. Additionally, temporary workers should not be allowed to access your retail stores’ most sensitive data, such as customer payment information and payroll data. Jobs that require access to this type of data should be reserved for permanent employees who have a track record with your organization, have had more cyber security training than your seasonal workers, and have probably passed a more extensive background check.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

[bpscheduler_booking_form]