I first reported to you in November 30th’s scam of the day of the hacking of Hong Kong company VTech Holdings Limited. The data breach involved data of almost 12 million people and included personal information on more than 200,000 children. VTech’s Learning Lodge is an app store for high tech learning games and other educational toys for children. Now police in the United Kingdom have announced the arrest of a 21 year old man on charges of unauthorized access to a computer and causing a computer to enable unauthorized access to data.
The adult customer information compromised in the data breach includes names, email addresses, encrypted passwords, security questions and answers, IP addresses and mailing addresses. Although the passwords were stolen in their encrypted form, VTech used older, less secure encryption algorithms, which can be readily cracked by sophisticated cybercriminals. This means that the customers whose data was stolen are in particular danger if they, like so many people do, use the same password for multiple accounts.
In addition, the potential for exploitation of the children’s data stolen brings a new wrinkle to this data breach. Children’s names and birth dates could be tied to their parents through the stolen information thereby establishing a new avenue for identity theft and fraud. Spear phishing using this information, whereby malware containing emails could be made to appear legitimate, pose a real threat to the victims of this data breach.
An interesting aspect of this arrest is the age of the person arrested and charged with the crime. A recent study by the UK’s National Crime Agency found that the average age of cybercriminals in the UK has dropped to 17. Last year, a similar report indicated the average age for British cybercriminals was 24.
Once again, people are becoming vulnerable to identity theft due to the lack of proper security measures by a company with which they do business. However, the failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft. The lesson is to remember that you should always have a distinct and unique password for each of your online accounts. It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456. One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords. This password is already complex in that it has words and a symbol. Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password. Now you can just adapt it for each of your online accounts with a few letters to identify the account. Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.