Firstly, yes. Smartpets are a “thing.” They are a new type of stuffed toy for small children connected to the internet. Parents and grandparents can record messages for their kids and upload them, and the children can play them back via their stuffed toy.
Unfortunately, the security surrounding the database wasn’t just bad, it was completely nonexistent. It wasn’t password protected at all, which allowed an unknown number of hackers to download it in its entirety. This amounted to more than 821,000 voice recordings, and the personal account info of all the users being stolen.
Worse, on at least three separate occasions, the database was deleted, and a ransom note text file left in its place, so it’s not as though the company didn’t know that something was amiss. Their response to the repeated hacks and deletions?
In fact, the CEO of Spinal Toys, who makes CloudPets, complained that more was being made of the issue than was necessary, and downplayed its significance. No corrective actions were taken, and the unprotected database was vulnerable from at least December 2016 to January 2017 when it was finally taken offline with no comment.
This is a textbook case of how not to handle a breach, and the company faces an uncertain future.
A breach, regardless of its size and severity, is a very big deal, and should be treated as such. Not only does it put your own propriety data at risk, but it can also lead to identity theft of your customers, to say nothing of the loss of trust which can take years to earn back.
The Huffington Post reports, “Appearing on Channel Ten’s The Project, Internet security researcher, Troy Hunt said he has launched website Have I Been Pwned? to act as a registry for parents to check if their security has been breached, and claimed thousands of Australian families could have been affected….He also said the origin of the security failure was a public database of the information applied to the bears that hackers managed to find online. Unfortunately, this one was ridiculously easy. The company that runs the service left their database public on the internet without a password and people found it. It was that simple.” This happened in Australia.
This incident should be studied by every small or medium-sized business owner and should serve as a warning about the importance of digital security and its proper handling.