A U.S. senator has called Spiral Toys onto the carpet for its data security practices in light of the recent CloudPets breach.
Sen. Bill Nelson (D-FL), a ranking member of the Committee on Commerce, Science and Transportation and backer of a 2016 report on security and privacy concerns related to children’s toys, sent a letter to Spiral Toys CEO Mark Meyers. Nelson’s letter includes 10 questions he wants Meyers to address by March 23, most of which concern the toy maker’s data collection processes, how they’re secured and whether the system was compliant with the Children’s Online Privacy Protection Act (COPPA), which requires company’s secure personal information collected from children.
“The breach of Spiral Toys raises serious questions concerning how well your company protects the information it collects, especially information collected from children,” Nelson wrote.
Nelson’s report released last year was in response to the 2015 breach of VTech, which exposed the personal information of six million children. Nelson told Meyers that the VTech attack “should have served as a wakeup call for toymakers who were not adequately protecting the consumer information they collect.”
Specifically, Meyers is to provide Congress with a summary of the breach that includes details, not only on the data that was accessed, but when and how consumers were notified, security measures in place to protect against intrusions, whether the company had a security officer in place prior to the attack, and policies to control data collection. Nelson also wants to know whether the company discloses to customers that it collects personal information, whether that data is shared or sold to third parties, and specific security questions about controls and procedures in place to protect data, and whether the company had been breached before.
News broke of the CloudPets breach on Feb. 27 after researchers Troy Hunt and Victor Gevers independently and privately disclosed in December that millions of private messages sent through the internet-connected toy were exposed online, along with personal information of more than 800,000 registered users.
The company failed to acknowledge numerous attempts to reach a Spiral Toys security rep as well as Meyers, prompting the public disclosure two weeks ago.
The breach was related to a spate of attacks against MongoDB instances in which attackers were able to find and access the databases and in many cases, copy and delete the data, leaving behind ransom notes asking for money in exchange for the return of the stolen data.
The private recordings, many of which were made by children and meant for family members or others authorized to receive them, were not stored in the stolen database. But the database did contain reference file paths to the message files which were stored on an Amazon Web Services S3 storage bucket.
“The database contains the business logic to let application work. The database contains the metadata that links (like a ledger) to the random generated files in the AWS bucket system,” Gevers told Threatpost on March 1. “By knowing the paths to the files, you extract the data like that. So if you can write to the database you could change the ledger and point to other URLs.”
The database, Spiral Toys said in a notification letter it sent to California’s Attorney General, did include emails and encrypted passwords, which Hunt counters were not encrypted, but were hashed with bcrypt. Combined with a nonexistent password strength rule on Spiral Toys’ part, the hashed passwords could easily be cracked, Hunt said.
Nelson, meanwhile, was also critical of Spiral Toys’ lax security.
“Because Spiral Toys created no requirements for password strength, the hackers could have easily cracked many passwords by simply checking the data against common passwords,” Nelson wrote. “This information could then be used to access and download the private voice recordings of children and parents.”
It’s likely the attack against the CloudPets data was random and targeted exposed MongoDB instances instead. Spiral Toys said the database in question belong to a contracted third party that was performing a migration on behalf of the company. Spiral Toys said this was a temporary scenario, and as a result, it never received a ransom demand. The company also denied knowing about the breach until Feb. 22.
In the meantime, the case highlights the risks to data belonging to children, something that Nelson has been prominent in demanding protection for.