Parents are still looking for answers weeks after hackers stole the personal data of thousands of users from kids’ tech coding camp iD Tech, with some fearing that their children’s data was compromised in the data breach.
iD Tech, which provides on-campus classes and online tech and coding courses for kids, has yet to acknowledge the breach or notify parents.
News of the data breach broke in February after a hacker on a cybercrime forum claimed to have hacked iD Tech a month earlier on January 3.
The hacker claimed to have stolen close to 1 million user records, including names, dates of birth, passwords stored in plaintext, and about 415,000 unique email addresses, which iD Tech did not dispute when reached by email. That can equate to each parent’s account having one or more kids in classes at the tech camp.
Some parents only found out as recently as March 6 when data breach notification services like Have I Been Pwned obtained the data and sent out notifications to affected families. Other parents found out when other services, like Firefox or their device security software, notified them that their information was found in the breached data.
One parent, who learned from a breach notification service that their data had been stolen, told TechCrunch that the stolen information is only a portion of the data that iD Tech collects on account holders and the children who use its platform, including gender, billing information, and some health data, like immunizations.
The parent said that the breached data must relate to the child’s date of birth because they never provided their own.
The parent said that iD Tech has not yet notified them of the breach. When the parent contacted the company to inquire, iD Tech claimed that it had already notified affected account holders.
iD Tech has not publicly acknowledged the breach, either on its website or any of its social media channels. And there’s no evidence that iD Tech has notified affected account holders of the breach, either.
When reached by email, iD Tech CEO Pete Ingram-Cauchi declined to explain why the company hasn’t publicly acknowledged the breach. When asked, Ingram-Cauchi declined to provide a copy of the communication that iD Tech claims to have sent to parents. The company declined to say if the breach had been reported to offices of state attorneys general per data breach notification laws.
Instead, iD Tech provided a brief statement from a generic company email address declining to comment citing its ongoing investigation. The sender of the email declined to provide their name for this story.
Ingram-Cauchi did not reply to a follow-up email.