When we talk about cybersecurity and digital safety in the context of our children, it’s often framed in one of two ways. Either it’s about inappropriate or unsafe content – of the sort that COPPA is meant to regulate in the US. Or it’s about managing the psychological and social impacts of excessive screen time. But there’s an elephant in the room.

Our kids are exposed to many of the same identity, privacy, and data security risks as their parents. In fact they may be even more at risk. Helping them understand how to protect their data and online accounts at an early age is an increasingly important parental responsibility.  

Why do people want my kids’ data?

Our children are digital natives. From an early age they might have logins to school accounts, gaming profiles, cloud photos, health records, and accounts with a variety of other apps. All of these contain potentially lucrative data for identity thieves.

Why is this information a popular target? Because from a fraud perspective it has a relatively long shelf life. That means, if it’s stolen and used by a scammer to open a new line of credit, it’s unlikely the victim would find out, until perhaps they apply for their first loan many years later. What’s more, it will have a pristine credit score, meaning the fraudulent application will likely sail through unchecked. Fraudsters might use it as is, or combine it with made-up information to create synthetic identities.

The emergence of AI tools has made it far easier to spin up these fake identities. They might be harder for companies to spot. But when they do finally flag fraud, the impact on your child’s credit history can be severe.

These are not theoretical risks. One report reveals the story of risk and compliance professional Renata Galvão, whose identity was stolen at the age of six and used to run up debt in excess of $400,000. It reportedly took her over two decades to clear her name and restore her credit rating. In another case, Axton Betz-Hamilton was 11 when her identity was stolen and used to rack up thousands of dollars in unpaid credit card bills. She only found out when applying to set up her first utility bill at college.

Current data is hard to come by, but the FTC claims that child identity theft increased by 40% between 2021 and 2024.

What could go wrong?

Children’s data is at risk in other ways. Kids might be digitally savvy enough to set up online accounts, but they’re not always security-smart. They may be more prone to fall for a phishing message; especially if it appears to be sent from a trusted authority or friend. Too-good-to-be-true offers, innocuous-looking quizzes and FOMO-type ads are all more likely to hit home if the target is a credulous 13-year-old rather than a skeptical adult. Kids are also more likely to unwittingly download malware onto their devices or share their passwords and personal info with their peers, compounding security risk.

roblox-hacked-accounts
Roblox gamers sharing their experiences after downloading fake versions of Solara. Source: YouTube

But it’s not just our children who represent a potential weak link in the security chain. Research from the University of Southampton last year found that nearly half (45%) of parents regularly share information about their children online. Sharenting like this increases the risk of it falling into the hands of fraudsters. Around one-in-six children have already experienced at least one form of digital harm, including cyberbullying, privacy breaches, or identity misuse, the study claimed.

There’s also a growing risk that the edtech vendors, school platforms, gaming providers, smart toy makers, social media companies and other firms entrusted with your child’s data are themselves breached. The non-profit Identity Theft Resource Center (ITRC) tracked 3322 data breaches in the US last year – an all-time high and a 79% increase from five years ago. Nearly 279 million victims had their data exposed, with the healthcare and education sectors among the top five for breaches.

The proliferation of AI apps is also a privacy risk. Kids may use AI tools with no understanding that they’re actually sharing sensitive information which could end up in the wrong hands if the provider is breached.

Gaming accounts are another attractive target for fraudsters. They contain highly prized assets such as:

  • Your credit card/financial information, for use in fraud
  • Social graphs that can be used to spam/phish other kids in the same network
  • Skins, which can be stolen and cashed out
  • Private chats which may contain monetizable information

All of which creates a large potential surface for your child’s personal information to be exposed.

How to check if something’s gone wrong

There are several ways to check if your child has had their identity or personal information (including credentials) stolen. The following should all be red flags:

  • Passwords that suddenly don’t work, indicating someone has accessed their account and changed the logins
  • Missing skins, coins or other items in your child’s gaming account
  • Notifications about account changes, logins or resets
  • Purchases that you didn’t authorize
  • Friends and contacts reporting strange activity or messages from your child’s account
  • Your child is denied welfare benefits (because someone else is using their Social Security details)
  • They are denied a student loan or bank account due to a poor credit rating
  • Your child receives a government notice claiming unpaid taxes (because someone is using their details to register for new jobs)
  • You receive phone calls or correspondence claiming overdue bills run up by your child

It’s a shared responsibility

In truth, there are multiple stakeholders involved in protecting your children’s identity data. Parents are the most obvious. But also your school, and the app developers and device makers they are often forced to share information with. No single party can manage and secure the entire data lifecycle.

So what can you do as a parent? Limit data sharing, securely configure account settings, and teach your child best practices.

Start with the data. Take a step back and consider whether it really is necessary to set up that new account, grant permissions to that school app, or “sharent” online. Data minimization is one of the core principles of the GDPR. The less personal information is out there, the lower the risk of it ending up in the wrong hands.

Next, for the accounts they do have, adjust the settings to minimize risk. That means long, strong and unique passwords for every account, stored in a family password manager. That will reduce the risk of brute-force attacks. Switch on multifactor authentication (MFA) where possible to mitigate phishing risks.

Review all the privacy settings on all their apps and social platforms to lock them down to the most secure version. That should mean location sharing/tracking is restricted or turned off. Restrict any in-app purchases so they require your approval. Keep all devices and apps updated so they’re less exposed to hacking attempts. And use in-app parental controls where available to monitor usage and minimize sensitive data sharing.

Apply for a credit freeze for your child’s identity with all three major credit bureaus. This will require some paperwork, but is worth it for the peace of mind that means no third party can apply for credit in their name.

Finally, it’s time to sit down with your kids and explain the importance of identity protection, what’s at stake, and how bad people can steal and use their data – including popular phishing tactics. Teach them the basics of good password management, and how to spot suspicious activity online. Above all, they should feel safe telling you anything.

Keeping your child’s identity safe should not be about restricting their digital world. It’s about giving them the confidence to traverse it safely – now and in the future.