Five million customers’ details exposed in VTech hack

A toymaker's database compromised by hackers reportedly included the personal details of more than 200,000 children worldwide

The hacking of a database at Hong Kong-based toymaker VTech has reportedly exposed nearly five million customers’ details, raising fears of widespread cyber crime.

Information security experts said the detailed personal information stolen is likely to be traded between hackers and used for fraud or bait for targeted phishing attacks.

According to the electronic toymaker, its app store database Learning Lodge was accessed by hackers on 14 November 2015, but the company did not say how many customers were affected.

The VTech app store enables customers to download games, e-books and other content to VTech devices.

In an email to customers, the company said: “On discovering the unauthorised access, we immediately conducted a thorough investigation that involved a comprehensive check of the affected site and implementation of measures to defend against further attacks.”

VTech said the compromised database did not contain any credit card or banking information, but it did contain “general user profile information”, such as “name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history”.

The company said it had set up a general email address, as well as email addresses in the UK and elsewhere in Europe where it has customers, and in the US, Canada, Australia, New Zealand and Hong Kong to handle customer enquiries.

Information security experts say this is extremely worrying as it is the largest data breach to date concerning children, especially as it enables hackers to link them to their parents.

The compromised database reportedly included the personal details of more than 200,000 children worldwide, including their names, ages, dates of birth, genders and parents’ addresses.

“There’s enough detailed personal information in the stolen records to make those people targets for identity theft and fraud,” said Simon Moor, UK regional director at security firm Check Point. 

Hackers are likely to use the stolen information to trick VTech customers into revealing further personal details using targeted phishing emails that appear to come from Vtech or an affiliate company.

“It’s just a numbers game for hackers, as they can easily send tens of thousands of emails in the hope of tricking a handful of customers. Customers affected should be suspicious of any emails or even phone calls that relate to the breach, no matter how plausible, and should not give away more personal information,” said Moor.

VTech is the latest company to be hit by a high-profile breach in 2015. US health insurance firm Anthem lost 80 million records in February, US health insurance firm Premera Blue Cross lost 11 million customer details in March, adultery website Ashley Madison lost 37 million in July, and UK mobile and broadband provider TalkTalk lost personal details of almost 157,000 customers in October.

The breaches have prompted calls for stricter laws to force companies to take greater care in protecting customers’ data.

While some commentators argue that mandatory data breach notification laws in the US have had limited effect in improving data security, others say similar rules in Europe will force companies in the region to rethink the way they handle data.

Mandatory data breach notification requirements of recent European laws are likely to have the biggest effect on UK businesses, according to Ross McKean, partner at law firm Olswang.

“Currently there is no general data breach notification requirement in the UK, and most firms choose not to go public if they can avoid it so they don’t take a hit on their reputation,” he told Context Information Security’s Oasis symposium in London.

But the EU’s General Data Protection Regulation (GDPR) and Network Information Security (NIS) directive, which are both expected to be finalised before the end of 2015, will change that by making notification on most data breaches involving personal information mandatory.

This will mean most UK firms will have to change their approach to data breaches and ensure they have the processes in place to comply with European rules. 

Read more about GDPR

Read more on Privacy and data protection