Sanrio's Data Leak And The New Data Privacy Normal For Minors

Last updated by UpGuard on August 23, 2019

scroll down

It's been barely a month since the VTech data breach resulted in the theft of over 6.4 million children's records, and yet another massive compromise affecting kids' data privacy is upon us—this time involving venerable children's toy and accessory brand Sanrio (of Hello Kitty fame). The data leak resulted in the exposure of details from more than 3 million user accounts: first/last names, birth dates, genders, countries, and email addresses, all openly available to the public. With children becoming prime targets for cyber criminals seeking low hanging fruit, companies that deal with and manage minors' data are increasingly under pressure to bolster their security controls and practices.

The data leak was publicized earlier this week when security researcher Chris Vickery discovered a database online consisting of 3.3 million user records from the SanrioTown website. Apparently data from several other Sanrio websites such as and were also freely available. And what initially was reported as a hack turned out to be less nefarious but nonetheless damaging: a misconfigured MongoDB server.

Free eBooks on DevOps and Security

Questionable Track Records For Security

Sanrio later confirmed the exposed database contained 186,261 minors' records (those under the age of 18). Perhaps unsurprisingly, the data leak wasn't the first security incident to befall the Japanese pop culture giant. Back in April, the data of more than 6,000 shareholders were leaked from an online rewards program database. It's likely that consumers will be less forgiving than shareholders—especially when it comes to their children's data—and lawsuits will invariably ensue. In the case of VTech, numerous class actions lawsuits have been filed against the manufacturer for improperly storing and handling sensitive user data. The use of the easily-defeatable MD5 hashing algorithm for passwords and secret questions/answers stored in plain-text are a few examples of the company's security transgressions.

There's no arguing that data breaches are especially alarming when children are the victims. Here are some bonus alarm bells for the holidays: consider that the identity theft of minors usually goes undetected for years, since they are usually well into their teens before establishingand viewing—their credit histories. Online vendors and websites catering to a younger audience therefore have a crucial responsibility in bolstering security efforts to protect the highly vulnerable. At the very least, misconfigured databases and insecure schemas—issues plaguing Sanrio and Vtech in recent eventsshould never go undetected. UpGuard's platform for continuous security monitoring and configuration integrity ensures that environments are configured securely and that no vulnerabilities go unremediated. 


More Blogs

How CSR Works

All the information needed to perform a CSR assessment is bundled into the UpGuard platform. Learn more about CSR.
Read Blog >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Blog >


Related posts

Learn more about the latest issues in cybersecurity