UK Man Arrested in Connection with VTech Breach

UK law enforcers have arrested a 21-year-old man on suspicion of Computer Misuse Act offenses connected to the cyber attack on Hong Kong-based educational toymaker VTech last month.

Officers from the South East Regional Organised Crime Unit (SEROCU) swooped on an address in Bracknell yesterday, seizing a number of “electronic items,” according to a brief statement.

“We are still at the early stages of the investigation and there is still much work to be done. We will continue to work closely with our partners to identify those who commit offences and hold them to account,” said head of the SEROCU cyber crime unit, Craig Jones.

“We are pursuing cyber criminals using the latest technology and working with businesses and academia to further develop specialist investigative capabilities to protect and reduce the risk to the public.”

The arrested man is suspected of two CMA offenses: “unauthorized access to computer to facilitate the commission of an offence;" and “suspicion of causing a computer to perform function to secure/enable unauthorized access to a program/data.”

VTech revealed in a statement at the end of last month that an unauthorized party had accessed its Learning Lodge app store database a fortnight previously.

Personal information including name, email address, IP address, mailing address, driving license and ID card numbers are thought to be among the data accessed.

Some reports put the number of those breached at approaching five million, as well as the first names, genders and birthdays of as many as 200,000 children—which some believe could be linked to their parents, exposing their full identities.

It emerged earlier this month that although VTech encrypted user passwords, it had written to customers admitting that it was “possible the hacker may have decrypted them.”

It’s thought the firm used the popular but vulnerable MD5 algorithm to hash customer passwords.

Johnathan Kuskos, manager of WhiteHat Security’s Threat Research Center, argued that password security is a two-way street.

“Increasing the complexity of their passwords is something that customers can do to protect themselves, but proper password storage is left to the organizations,” he explained.

“Businesses have a duty of care to better protect their customers by ensuring that they use robust hashing and salting techniques, in addition to requiring users to create the strongest possible passwords."

Photo © dcwcreations/

What’s Hot on Infosecurity Magazine?