IoT Teddy Bear Leaks Millions of Voice Recordings from Children and Parents


CloudPets’ connected stuffed animals leaked more than 2 million voice recordings of parents and children because of their poor database security. This is only the latest compromise happening with children’s toys.

The breach was first reported on Tuesday in a blog post by Troy Hunt, a Microsoft guru who specializes in cloud and online security. Hunt informs that CloudPets’ data was saved to a MongoDB database on an Amazon-hosted service that was publicly available and required no authentication, not even a password. Hunt goes on to say that the database was filed by Shodan, a search engine known for finding connected things, and evidence shows that since December 25, 2016 the stored data had been accessed multiple times by multiple people. CloudPets’ parent company, Spiral Toys, was notified at least four times about the breach, however, Hunt explains that some attempts to contact the company failed due to dead email addresses. In any event, there is no way Spiral Toys was not aware of the leak due to evidence left from criminal ransom demands.

Although this is a wake-up call to parents, businesses can take a lot away from the CloudPets breach, explains cybersecurity expert, Vinny Troia, CEO of NightLion Security. “Many businesses have not taken cybersecurity as seriously as they should be, until it’s too late,” Troia continues, “they take shortcuts that do not properly protect them against cyber criminals, and then are floored when their system becomes compromised.” Troia goes onto to explain that today cybersecurity needs to be at the forefront of businesses’ minds or they are going to be the next Spiral Toys.

The CloudPets incident is only the most recent compromise involving IoT toys, but they are certainly not the last. Both businesses and parents need to take the proper steps to protect the user data and their children from the darker side of the cyber world.


Securities and Exchange Commission cracking down on cyber security policies


For years the Securities and Exchange Commission (SEC) had a tougher bark than bite but decided that in 2016 they were going to crack down when it comes to cyber security. RT Jones Capital Equities, a small regional investment company experienced a cyber attack from China that took 100,000 of their clients’ information, according to an article on the Financial Times. Since the SEC had earlier stated that investment bankers and broker-dealers should prepare for cyber defenses, they were disappointed to hear of this cyber attack.

The SEC decided to list complaints about RT Jones’ failure to implement cyber defenses, which included not conducting periodic risk assessments, not encrypting sensitive data, and not having a breach assessment ready in case of an attack. Andrew Donohue, the SEC chief of staff, had warned that his agency would pass enforcement actions against the companies’ chief compliance officers for looking the other way when addressing important compliance concerns.

The SEC is becoming stricter to prevent cyber attacks from happening. Companies need to not only look out for cyber attacks but also the SEC, when not setting up defense mechanisms.

Read more on the article here.