USA Today reports the story of a data breach so easy a kid could do it…literally. A five-year-old named Kristoffer Von Hassel figured out a way to hack into his dad's Xbox account in order to play video games his dad had forbidden.
Maybe "hack" isn't an appropriate word for what this kid did. Maybe "stumbled onto a security flaw" is a more accurate way of describing his work.
When locked out of his Xbox, Von Hassel tried to log in under his father's account. After failing to enter the account password correctly, he was taken to a password verification screen. Amazingly, by hitting the space bar a few times and hitting "enter," the kid was able to log in under his dad's account.
And that is the story of the five-year-old who breached Microsoft's security.
What Does Microsoft Do When a Five-Year-Old Discovers a Security Flaw? Give Him a Promotion!
Microsoft is well-known as a company that rewards outside security experts who discover flaws in its products. In fact, it runs a "blue hat" bug bounty program. (We highlighted bug bounties as part of our year-end round up in "2013 Year-End Highlights: 5 Major Trends in Data Breaches and IT Liabilities.") But how does Microsoft reward a security expert who is five years old?
For starters, little Von Hassel got a gift package from Microsoft that included a year's subscription to Xbox Live and free games. That's not bad, but what he got next is even better – and it's going to look great on his resume when he applies for college in, say, 13 years.
Microsoft officially listed Kristoffer Von Hassel as a "security researcher" on its website. Not too shabby. His father seemed mostly impressed, saying it was "pretty cool" that his son was able to hack a product made by one of the tech world's biggest companies. Apparently, Von Hassel won't be grounded.
What Can We Learn From Microsoft's Blunder
Stories like this are humbling: a computer giant like Microsoft can invest millions in a product, ship it around the world, and then suddenly find out that its security can be breached by a five-year-old looking to play video games after coming home from kindergarten. That sound you just heard was Microsoft's engineers crashing back down to Earth.
What does a story like this mean for the average IT business? There are two takeaways:
- Kids use their parent's technology. You might not immediately think of this, but it's a serious risk that IT firms have to deal with. If a client's employee takes their laptop home and lets their child use it, the child could easily and accidentally download malware or click on a phishing email.
- Any business can make mistakes. Big firms like Microsoft and Target make news when they have data security problems. In reality, many small firms have the same problems every day, but their stories don't make the news. If Microsoft can spend millions on a product and still have security flaws, chances are that an independent mobile developer could have a security flaw in her app and not even know it.
While there's no insurance to protect you from five-year-olds who want to play video games, there is insurance that will protect you from data breaches on your clients’ network and security flaws in your software. It’s called Errors and Omissions Insurance. Learn more by reading our Protection for Tech Pros eBook.
