There’s no new insight yet from VTech into the data breach that was initially thought to have affected 5 million parent-user accounts in mid-November. But the electronic toy maker continues to work with Hong Kong regulators to determine the root of the hack, which apparently also leaked information about children who use VTech toys, like the VTech InnoTab MAX, pictured above.
The database of VTech’s Learning Lodge app store, which allows customers to download apps, e-books and learning games, was breached on November 14 HKT (Hong Kong Time). The hack was discovered on November 24 and customers were notified on November 27.
In an update today (December 2 HKT) on its FAQ page, VTech said that, in addition to the 5 million user accounts, nearly 6.4 million child profiles were exposed in the data breach -- the majority of them in the U.S. According to VTech, some 2,212,863 U.S. parent accounts and 2,894,092 U.S. child profiles were exposed.
"In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts. In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles -- unlike account profiles -- only include name, gender and birthdate," the company said.
Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) has launched a compliance check on the data leak to find out whether VTech took the appropriate steps to safeguard personal data before the breach and also to investigate what remedial actions the company has adopted to avoid similar hacks in the future.
Who’s To Blame?
“PCPD will take appropriate actions in light of the results of the compliance check and make recommendations with a view to assisting VTech to comply with the Personal Data Ordinance and protecting the personal data of general public,” said Stephen Wong, the privacy commissioner for personal data, in a statement.
The investigation could spell regulatory trouble for VTech. If the company is found to be non-compliant with the PCPD’s Data Protection Principles, the privacy commissioner could demand a remedy with fines for defiance. Fines could reach HK$50,000 (about $6,450 USD), along with two years of jail time. If the offense still continues, a daily penalty of HK$1,000 ($129 USD) will accrue.
But the investigation could also clear VTech’s name in the incident if it turns out the company did everything it could to keep the data safe. What’s more, if hackers gained unauthorized access to the database with the intent of gaining some benefit, they could be subject to fines and prison. A hacker found guilty of causing psychological harm to victims of the breach, regardless of motive, could face a HK$1 million fine (about $129,000 USD) and serve a five-year prison term.
A Wake-Up Call
We caught up with Tyler Cohen Wood, former DIA (Defense Intelligence Agency) senior intelligence officer and cyber deputy division chief, to get her take on the incident. She told us the disturbing nature of this attack, with the target seeming to be children’s information specifically, should be a wake-up call to all consumers: many devices we connect to in our everyday lives lack robust security settings and can easily be hacked.
“Hackers are very aware of the lack of security on toys and other Internet of Things devices and will continue to exploit these vulnerabilities,” said Wood, who is also the current cybersecurity advisor of the eLearning provider Inspired eLearning. “It’s more important than ever for corporations to immediately address their threat concerns so that these types of cyberattacks can be thwarted proactively."
It’s important for parents to recognize that predators can use any game or toy that has a social media component to target kids, Wood said. Parents need to explain to their children that not all the people they speak with online are who they say they are, she added. Parents should also ensure they use the strongest security settings possible on all toys and games.
“Also, parents should remain involved when their kids play social interactive games,” Wood said. “Companies can protect themselves by also using the strictest security settings possible on all potential threat vectors such as digital devices and ensure that they have a full employee security awareness education program in place."