A data breach at a popular toy company is causing serious concern. According to reports, an anonymous hacker gained access to VTech’s user database — which included children’s chat logs, names, and photographs. As stated in an official statement, the company acknowledged the breach affected nearly 5,000,000 accounts.
As stated on VTech’s official website, the toy company was alerted to the data breach by a “Canadian journalist” on November 23. Although VTech was previously unaware of the breach, an extensive investigation revealed it actually occurred on November 14.
According to the statement, VTech did not announce the breach until November 27, as company officials wanted to confirm the details before alerting parents.
As discussed on the company website, the VTech data breach affected 4,854,209 parent accounts and the profiles of 6,368,509 children.
In an interview with Motherboard, the hacker, who wishes to remain anonymous, gained access to the children’s addresses, birth dates, genders and names. Even more disturbing, the database included audio files, chat logs, and photographs of tens of thousands of children.
Thankfully, the information will not be publicly shared or sold. However, the hacker said “VTech should have the book thrown at them” for failing to properly secure their database.
VTech addressed concerns about the audio files, chat logs, and photographs in their official statement. However, their answers were not entirely clear.
Company officials acknowledged chat logs were stored for a period of 30 days and were not encrypted. However, audio files and images, which were stored for a longer period of time, were reportedly encrypted by AES128.
According to the statement, the company cannot specifically confirm which information was breached — as “the investigation is ongoing.” However, they assured their customers that credit card information and Social Security numbers were not included in the breach.
In his November 28 blog, security specialist Troy Hunt said the breach was entirely avoidable.
“… what really disappoints me is the total lack of care shown by VTech in securing this data. It’s taken me not much more than a cursory review of publicly observable behaviors to identify serious shortcomings that not only appear as though they could be easily exploited, evidently have been.”
Although VTech admitted their “database was not as secure as it should have been,” they are currently working on a resolution — which will reportedly increase security and prevent a similar breach in the future.
Veracode security expert Chris Eng said many companies are increasing database security measures. However, “toy companies don’t have the rigor around secure development that’s needed in today’s environment.”
The VTech breach is specifically frightening because the company specializes in electronic toys for young children.
As stated on the company website, VTech was founded in 1976 — with a mission “to design, manufacture and supply innovative and high quality products… “
— Motherboard (@motherboard) December 1, 2015
Although VTech has factories in Canada, China, and Germany, they are headquartered in Hong Kong.
VTech’s products are popular with parents and children, as they combine fun activities with learning exercises. However, as some of the games are played or purchased online, the company’s security protocols are a point of concern.
The recent security breach is a grim reminder that personal information and photos are often stored in databases — which are not effectively secure.
Within the last month, a hacker managed to gain access to the personal profiles of millions of children with little effort. The hacker was also able to download “more than 190GB worth of photos.”
— VICE Canada (@vicecanada) December 1, 2015
Thankfully, the hacker does not plan to use the information to cause harm. Instead they simply wanted to make parents aware that their personal information, and their children’s personal information, may be at risk.
As VTech toys will likely remain popular throughout the holiday season, the company has vowed to increase their security measures.
[Image via Shutterstock/Dragon Images]