Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Customer Data / VTech Breach Hits 5M User Accounts
VTech Data Breach Affects 5 Million User Accounts
VTech Data Breach Affects 5 Million User Accounts
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Chinese electronic toy maker VTech, has been hacked, revealing the information of 5 million customers. The database of the company’s Learning Lodge app store, which allows customers to download apps, e-books and learning games, was breached on November 14 HKT (Hong Kong Time). The hack was discovered on November 24 and customers were notified on November 27.

VTech makes a wide variety of children's toys, including the VTech Tote 'n Go Laptop, pictured above. The company's customer database holds a slew of user profile information. The personal identifiers mentioned in the company’s report include names, e-mail addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download histories. The database also contains kids’ information, including names, genders and birth dates.

“It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge Web site,” the company said in a statement. “To complete the payment or check-out process of any downloads made on the Learning Lodge Web site, our customers are directed to a secure, third-party payment gateway.”

Serious Risks

We turned to Mark Bower, global director of product management at HP Enterprise Data Security, to get his thoughts on the breach. He told us there are regulations in place about the collection, storage and use of data involving children -- but perhaps they need to be rethought, as compliance may not be enough to protect today’s children’s data from advanced threats.

“In the United States, the regulation is called COPPA, Children’s Online Privacy Protection Rule, which is regulated by the FTC. There are specific controls that must be adhered to in collecting and using children’s data, and several companies have been fined to date for non-compliance,” Bower said. “Breach of children’s data in itself has many serious risks, as you could imagine, and anyone collecting such data must take steps to protect it from advanced attacks as in this case.”

Will KidSAFE Help?

The COPPA regulation relates to ensuring consent to collect data for the most part, but the rule is quite specific about limiting the disclosure of information, Bower said. However, compliance may not take into account the inevitable breach scenario after which it’s too late, he added.

“Programs designed to allow vendors to meet COPPA, like kidSAFE, don’t go far enough against modern attack vectors,” Bower said. “KidSAFE requires only basic protections.”

From Bower’s perspective, the breach reminds us how important security controls are for protecting children’s data from being breached. If the data itself is not secured, it is at risk of theft irrespective of access controls and firewalls. Breach after breach has proven this beyond any doubt, he said.

“Perhaps this is a call to action to revise and enhance kidSAFE and COPPA in light of this breach,” Bower said. “The risk can be mitigated easily today. Leading vendors who truly value the security of their customer, and more importantly sensitive children’s data, can get ahead of the attack and compliance challenges in one swoop by adopting modern data-centric security to secure the data in use, in motion and in transit -- not just the increasingly translucent IT perimeter.”

Editor's Note: An earlier version of this article incorrectly stated that VTech is part of the kidSAFE seal program.

Tell Us What You Think


Posted: 2015-12-01 @ 8:52am PT
@Shai Samet: Thank you for pointing out that VTech does not currently participate in the kidSAFE program. We have corrected the article accordingly.

For reader reference, the membership directory of companies participating in the kidSAFE program can be found here:

Shai Samet:
Posted: 2015-11-30 @ 10:59pm PT
VTech does not currently participate in kidSAFE and does not hold kidSAFE's certification for basic safety protections or COPPA compliance. A simple search of our membership directory would have confirmed this. This article should be amended to reflect the truth.

This is Shai Samet, founder and president of the kidSAFE Seal Program.

Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.