Different time, different place
I am glad none of the toys I had as a child didn't have this "membership"
Who's next Fisher-Price? Is my Fisher-Price phone tapped by default?
Up to 3.3 million Hello Kitty users have had their personal data exposed due to a database breach at the brand's online community SanrioTown.com, a security researcher has discovered. The sanriotown.com breach had been discovered online by researcher Chris Vickery who informed security blog Salted Hash. The exposed records …
I expect Mattel will be the next target, especially with the additional trove provided by NSA Barbie.
"If someone managed to compromise a child's identity, the fraud might not be detected for years because most parents don't monitor their child's credit record," noted Salted Hash writer Steve Ragan.
I don't know about your neck of the woods, but around here a child wouldn't have a bank account, an employer, a mortgage, a credit card, any other form of credit, or an electoral roll registration - so zero chance of them having a credit record to monitor.
What are you driving at, moiety? So there's a child called Tracy Timmons, say, and the miscreants find out the child's name and set up a whole load of accounts in the name of Tracy Timmons. Then what? And what is there to link the miscreants' Tracy Timmons with the original Tracy Timmons as opposed to the hundreds of other people, children and adults, who share the same name, and in some cases perhaps the same date of birth? (Address will have changed in the meantime, and names and dates of birth are publicly available anyway.)
Would it really be that hard to monitor database queries and shut off connections if it requests too many rows or performs too many requests? Such a basic bit of protection would do wonders to prevent breaches like this. No legitimate user is going to request tens of millions of rows of data over several tables, so why is doing so allowed? At best, its a bug in the code that should be fixed that should be blocked and rectified anyway.
Assuming the data was pulled from an active db and not from a backup dump.
You'd also expect canary records and that sort of thing, right? Well, if they cared about security. However, if they got past the hardened web-server defences, I'm guessing the middleware and database bits were easy. Unbreakable they are not. Security in depth? We've heard of it.
The problem with security is that its difficult (expensive) and tedious. Hello Kitty will suffer for this, but how many firms think it won't happen to them. It appears companies are not willing to learn from others' mistakes.
I've had to teach my kids not to provide details online and that its ok to lie to websites. False names, ages, addresses, disposable email addresses, that sort of thing. The rule of thumb is, if you wouldn't be happy handing over a sheet of paper with all the requested details on it to a stranger coming out of prison, don't hand it to anyone you don't know, who may well leave it around for an organised crime gang to take.
"The problem with security is that its difficult (expensive) and tedious. Hello Kitty will suffer for this, but how many firms think it won't happen to them. It appears companies are not willing to learn from others' mistakes."
Realistically, they don't care. Not much anyway.
I've started giving fake names whenever possible - even if they don't lose your info to a hack, half of them will sell it on (legally or not).
Hello Kitty will suffer for this, but how many firms think it won't happen to them. It appears companies are not willing to learn from others' mistakes.
Right there is the crux of the matter and the problem/answer. What do they learn...? Pick one or all: Oh, our insurance covers it? Our customers soon forget about it? There's no penalty for this thing?
I think it is appalling and plain out disgusting that some people would target children and people who are bound not to be very adversed with IT skills in general. There are some lines you shouldn't cross, and this is one of them.
But on the other hand I also can't help wonder how real this whole thing actually is. From what I can tell so far it's basically the word of one guy. Normally such databases are made online and get spread around quite heavily, but in this case that doesn't seem to be the case.
What also bothers me a little is when you mention thoughts like these the first you hear is: "but several big news outlets have reported this", as if that has any meaning when it comes to the legitimacy of a story... I know I can be quite the skeptic, but when it comes to commercial issues then the competition can also do very weird things, it's easy to try and ruin a companies reputation like this, especially without even having to provide any proof.
I mean... This guy ran to the media first and informed the company second. That strikes me as a little bit odd.
There are just so many of these with no immediate impact that we are reaching the point were it is just accepted. A few people rant but that is it. Companies, organisations, Government have all been hit and what? A few paltry fines months or years after the event. There have been so many data sets released that it is fair to say that very few people will have not been affected. More to the point, once the data has been accessed, there is even less control. The problem is that the authorities are incapable of dealing with this effectively because of delays in reporting and lack of effective legislation. They would also have to censure themselves!
These sorts of breaches should result in an immediate offline of the website with a standard holding page. This should be then followed up with some sort of fine that will have an impact, event if it is held in ESCROW temporarily. The challenge is to make companies report this without getting away with it.