It's been barely a month since the VTech data breach resulted in the theft of over 6.4 million children's records, and yet another massive compromise affecting kids' data privacy is upon us—this time involving venerable children's toy and accessory brand Sanrio (of Hello Kitty fame). The data leak resulted in the exposure of details from more than 3 million user accounts: first/last names, birth dates, genders, countries, and email addresses, all openly available to the public. With children becoming prime targets for cyber criminals seeking low hanging fruit, companies that deal with and manage minors' data are increasingly under pressure to bolster their security controls and practices.
The data leak was publicized earlier this week when security researcher Chris Vickery discovered a database online consisting of 3.3 million user records from the SanrioTown website. Apparently data from several other Sanrio websites such as HelloKitty.com and mymelody.com were also freely available. And what initially was reported as a hack turned out to be less nefarious but nonetheless damaging: a misconfigured MongoDB server.
Questionable Track Records For Security
Sanrio later confirmed the exposed database contained 186,261 minors' records (those under the age of 18). Perhaps unsurprisingly, the data leak wasn't the first security incident to befall the Japanese pop culture giant. Back in April, the data of more than 6,000 shareholders were leaked from an online rewards program database. It's likely that consumers will be less forgiving than shareholders—especially when it comes to their children's data—and lawsuits will invariably ensue. In the case of VTech, numerous class actions lawsuits have been filed against the manufacturer for improperly storing and handling sensitive user data. The use of the easily-defeatable MD5 hashing algorithm for passwords and secret questions/answers stored in plain-text are a few examples of the company's security transgressions.
There's no arguing that data breaches are especially alarming when children are the victims. Here are some bonus alarm bells for the holidays: consider that the identity theft of minors usually goes undetected for years, since they are usually well into their teens before establishing—and viewing—their credit histories. Online vendors and websites catering to a younger audience therefore have a crucial responsibility in bolstering security efforts to protect the highly vulnerable. At the very least, misconfigured databases and insecure schemas—issues plaguing Sanrio and Vtech in recent events—should never go undetected. UpGuard's platform for continuous security monitoring and configuration integrity ensures that environments are configured securely and that no vulnerabilities go unremediated.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >