Kids and Parents Caught Out as Toymaker VTech is Breached

A Hong Kong-based maker of children’s educational toys has suffered a data breach, exposing the details of potentially millions of children and their parents.

VTech, which builds “electronic learning toys,” revealed in a statement on Friday that an “unauthorized party” accessed customer data held in its Learning Lodge app store database on 14 November.

It continued:

“Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.

Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.”

The firm stressed that the database in question doesn’t store credit card information as Learning Lodge payments are processed by a third party provider.

Also missing from the heist will be personally identifiable information (PII) such as ID card numbers, Social Security numbers or driving license numbers, VTech claimed.

The firm didn’t reveal how many customers could be affected, but some reports put the figure at close to five million adults and the first names, genders and birthdays of as many as 200,000 children.

Those kids could theoretically be linked to their breached parents, exposing their full identities, it is feared.

James Romer, chief security architect at SecureAuth, argued that children can be a valuable target for hackers as they potentially won’t know their identity has been compromised until they’re much older.

“This kind of breach is simply not acceptable,” he added.

“Organizations, particularly those who hold this kind of information, must invest in advanced security systems alongside adaptive authentication for their users to mitigate the chances of this happening and render any stolen assets worthless.”

Check Point’s UK regional director, Simon Moor, argued that the information stolen is likely to be used in follow-on phishing attacks.

“There’s enough detailed personal information in the stolen records to make those people targets for identity theft and fraud. Hackers are likely to trade the stolen data as well as trying to trick customers into revealing further personal details using targeted phishing emails,” he explained.

“Customers affected should be suspicious of any emails or even phone calls that relate to the breach, no matter how plausible, and should not give away more personal information.”

Photo © Matthias Pahl

What’s Hot on Infosecurity Magazine?