igor - Fotolia

Safeguarding firm uKnowKids comes under fire for handling of child data breach

Child social media monitoring service uKnowKids has run into criticism for its response to a report of a vulnerability in one of its databases

Child social media monitoring service uKnowKids has come under fire for its response to a security report regarding its IT systems.

The report claimed that a database belonging to UKnowKids – containing the personal details of more than 1,700 children – was accessible online.

The US-based firm provides a service that enables parents to monitor and analyse their child's social networking and mobile phone activity.

uKnowKids was informed of the exposure by security researcher Chris Vickery who discovered the database was configured for public access, requiring no authentication or password.

This meant that – in addition to the breach of names, email addresses, dates of birth, social media credentials and other details – more than 6.8 million text messages and nearly 2 million images were unprotected.

Vickery said there was no way to know for sure how long the data has been exposed to the public internet, or how many people had accessed the data.

“Information collected by the Shodan.io search engine suggests that the database had been up for at least 48 days,” he wrote in a blog post.

According to Vickery, the company’s initial email response was positive, thanking him for the opportunity to fix the problem which “could easily” have threatened the business.

However, in a subsequent phone call, he said uKnowKids chief executive Steve Woda “tried all manner of intimidation tactics” against him.

Vickery said Woda had tried to convince him that anyone reporting the data exposure could face liability under the US Children’s Online Privacy Protection Act (Coppa).

Read more about vulnerability disclosure

uKnowKids late to notify users

In a blog post, Woda said that a “hacker” had repeatedly breached a private uKnowKids database in an “unauthorised manner” and notified the firm of the data exposure on 17 February 2016.

Although Woda claims the problem was fixed in 90 minutes, uKnowKids has been criticised for notifying those affected by the breach five days later.

Dodi Glenn, vice-president of cyber security at PC Pitstop, said the exposure of data relating to children is becoming a trend, with the exposure of 200,000 child details by VTech in November 2015.

“I think that UKnowKids.com was a little late on disclosing the breach, which is concerning, since I'm sure there are parents out there who do not want their children’s personal information and pictures out on the internet for everyone to see,” he said.

Disclosure provokes hostility

Glenn said that, instead of threatening security researchers, companies should be treating them with respect and consider them an extension of their own IT department.

“They need to realise that these individuals aren’t trying to do anything malicious with their knowledge – they shouldn’t be threatened with lawsuits or the authorities being called on them. If a good guy can discover a hole, so can the bad guys,” he said.

At the DEF CON 23 hacker conference in Las Vegas in August 2015, security firm Rapid7 told Computer Weekly that – despite the importance of security vulnerability disclosure – it can be challenging to open up channels of communication with non-security companies.

Reporting a security vulnerability in a product or service is often perceived in a negative light by non-security companies, because it is “like someone in the security community telling them their baby is ugly”, said Tod Beardsley, security engineering manager at Rapid7.

Woda said uKnowKids had been “locking down on the facts over the last few days” with a forensics analysis of all systems.

“We plan to disclose all of the relevant facts to our customers, the media and the appropriate legal authorities, as soon as we are confident that our facts are 100% accurate,” he said.

Firm takes preventative measures

According to Woda, no financial information or unencrypted password credentials were vulnerable, and the data that was exposed related to “about 0.5% of the children that uKnowKids has helped parents protect”.

He said the company has reconfigured all encryption keys and data schemas, to “dramatically mitigate any previously breached data”; hired two security firms to penetration test the company’s systems, to identify any future vulnerabilities as quickly as possible in the future; and is updating its existing internal security policy and frameworks, so that there is “zero ambiguity with respect to the daily, weekly and monthly security procedures” that the company will follow to protect customer data and corporate assets.


Read more on Privacy and data protection