Cyber Incident Victim: iD Tech
Date:
Jan 2023
Location:
United States of America
Summary
A hacker stole personal data from a children's tech education provider, compromising names, dates of birth, plaintext passwords, and hundreds of thousands of email addresses. The breach impacted parent accounts linked to enrolled minors, with some evidence suggesting children's information—including potential health and billing details—was exposed. Affected families discovered the incident through third-party breach notification services rather than direct communication from the company, which neither publicly acknowledged the intrusion nor provided evidence of customer notifications despite claiming otherwise. The organization declined to share breach disclosure details or confirm regulatory reporting while citing an ongoing investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2023, iD Tech, a provider of on-campus and online tech courses for children, experienced a significant data breach first claimed by a hacker on January 3. The attacker publicly disclosed the intrusion in February via a cybercrime forum, asserting theft of nearly one million user records containing names, dates of birth, plaintext passwords, and approximately 415,000 unique email addresses. iD Tech did not contest these claims when contacted by TechCrunch, suggesting each compromised parent account likely corresponded to one or more enrolled children. Parents began learning of the breach indirectly in early March through third-party notification services like Have I Been Pwned, browser alerts from Firefox, or security software warnings. One affected parent confirmed their stolen data included child-specific details such as date of birth and gender, alongside billing information and health records like immunization status—information they had not provided for themselves. The parent emphasized that iD Tech had collected substantially more sensitive data than what was confirmed stolen, raising concerns about potential undisclosed exposure.
Despite mounting evidence and parental inquiries, iD Tech maintained silence regarding the breach throughout March 2023. The company neither acknowledged the incident on its official website or social media channels nor provided direct notifications to confirmed affected families. When contacted by TechCrunch, CEO Pete Ingram-Cauchi declined to explain the lack of public disclosure, refused to share copies of purported breach notifications sent to parents, and would not confirm whether the incident had been reported to state attorneys general as required by breach notification laws. iD Tech issued only a generic statement from an unnamed representative via a company email address, citing an ongoing investigation as justification for withholding comment. This non-responsive stance left parents reliant on external services for breach confirmation while lacking official guidance on potential risks or mitigation steps. The combination of exposed plaintext passwords, children’s personally identifiable information, and unaddressed health data vulnerabilities created unresolved security and privacy concerns for thousands of families.