[BreachExchange] 21st Century Data Breaches: Not All Fun and Games

[Audrey McNeil]

http://www.jdsupra.com/legalnews/21st-century-data-
breaches-not-all-fun-24426/

Data breaches can occur in the most surprising places. When data breaches
affect sensitive, private information—especially those of
children—companies can face scrutiny from regulatory agencies and be
exposed to civil (and perhaps even criminal) liability.  While hackers are
still targeting retail corporations and financial institutions, some
hackers have moved onto an unexpected new area: children’s toys.

Spiral Toys Inc. sells stuffed animals called “CloudPets.” These 21st
century stuffed animals are connected to the internet, allowing parents,
their children, and anyone with access to the stuffed animals to record and
send voice messages to each other.  Users simply download the “CloudPets”
phone app (the Android app has been downloaded over 100,000 times already),
and create an account by registering their emails and other personal
information with the CloudPets app.  Unfortunately, the combination of a
vulnerable security network and the sensitive nature of the private
information held on the CloudPets’ server made it an attractive target for
hackers.

In February 2017, cybersecurity experts discovered that the account
information of more than 800,000 CloudPets could be easily accessible by
anyone browsing the internet, without the need for a password. Even more
disturbing, as reported by cnet.com, nearly 2.2 million voice recordings
were also stored online in an unsecure manner.  This includes potentially
millions of voice recordings of children.  According to the cybersecurity
experts, hackers appeared to have wiped the user database and held its
contents for ransom from the company.

Unfortunately, CloudPets’ security flaws do not appear to be an isolated
event. While retailers and banks have beefed up their cybersecurity in
recent years after a number of high-profile breaches, toy manufacturers
appear to be lagging behind.  In prior years, cybersecurity experts raised
similar concerns with an internet-connected Barbie doll.  Likewise,
cybersecurity concerns have been raised with other connected devices that
contain private information, such as the fitness tracking devices like
Fitbit.

Data breaches result in serious legal and public relations consequences,
including a duty to disclose breaches to the public, regulatory fines, and
potential class action lawsuits. Civil actions premised on torts law, i.e.,
invasion of privacy, are also colorable causes of action against breach
involving sensitive private information.

Finally, data breaches can also result in severe financial consequences for
the companies involved. For CloudPets, its security breach has directly or
indirectly caused their stock price to drop to 1 cent.  Moving forward,
manufacturers of “connected” 21st century toys and gadgets should study
cybersecurity best practices and cyber-threat trends to stay ahead of the
pack and reduce their likelihood of becoming targets for opportunistic
hackers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170323/49dbfb0d/attachment.html>