Behind the Headlines: Hello Kitty and the cyber attacker

Tuesday 22nd December


What happened?

Sanrio Town, the official online community for fans of the cult Japanese cartoon character Hello Kitty, has been the subject of a major data breach, with nearly three million users’ private information leaked online. The data is suspected to contain personal details such as names, email addresses and images of children.

Why is it important?

This is the second largest data breach of a child-focused brand within the past month. In November, electronic toymaker VTech suffered a cyber-attack which led to 10 million accounts being hacked; 6.3 million of which were used by children.

Cyber-attacks are becoming an increasing business threat, with 90% of companies reporting security breaches in the past year, according to a government survey conducted by PwC. But 2015 has seen the media’s attention on such scandals intensify, with cyber-attacks at Ashley Maddison and TalkTalk hitting headlines across the globe and having sizeable repercussions for these businesses – as well as their customers in the case of Ashley Madison. However, this particular attack involves children’s data and ventures into the wider issue of online safety and what companies are doing to protect their youngest customers.

What’s the reaction been?

Sanrio has released a short statement stating that they are investigating the “alleged” breach and information will be shared once confirmed. On the Sanrio Town website, there is a short blog post on the breach which advises users to change their passwords and reiterates that no credit card details were stolen.

However, Sanrio’s statement arrived nearly three days after CSO Online, a security trade publication, revealed details of the breach. In the time between the CSO Online article and Sanrio’s statement, media began reporting on the story. Sanrio’s silence in this crucial time has resulted in news columns, such as the Daily Star, being filled with warnings to parents about the safety of their child’s information.

Furthermore, Sanrio’s statement has been challenged by the security analyst who originally discovered the ‘holes’ in Sanrio Town’s website. Chris Vickery, speaking to global news agency, Reuters, has undermined Sanrio’s official statement by explaining that the database was exposed for nearly a month and it would be “extremely easy for a bad guy to take the data.”

Best headline?

The Great Hello Kitty Hack of 2015The Daily Beast.

What’s next?

Both the delayed response and Sanrio’s weak statement do not inspire public confidence that Sanrio has handled this breach properly. The media is likely to continue to scrutinise Sanrio’s responses and handling of the situation, while parents may think twice before trusting the site to hold their children’s details safely.

Sanrio’s cyber-attack reiterates how all businesses need to take the issue of cyber security seriously to protect their reputation, as well as their customers’ data, especially when children are involved.

According to a 2015 Deloitte research paper on cyber security and consumer trust, a third of UK consumers would close their online account following a breach with the company they believe is responsible.

Sanrio shareholders will be asking what tangible measures are being implemented to better protect customer data. The company has already been the subject of a cyber-attack in April 2015, where 6,000 stakeholders’ details were suspected to have been leaked. Many will presumably be nervous to see whether the two breaches this year will have an impact on financial figures, and more importantly, Sanrio’s long-term reputation in the industry.

So will Sanrio fans be permanently put off by this latest attack? Probably not – the brand loyalty to Hello Kitty is too strong for users to abandon it.

Related News & Insight