Police in the United Kingdom believe they have caught the culprit behind a massive cyberattack against leading electronic toy maker VTech that compromised the information of nearly 5 million adults and over 6 million children.
The South East Regional Organized Crime Unit, or SEROCU, in Bracknell, a town about 30 miles west of London, arrested a 21-year-old man yesterday for alleged unauthorized access to a VTech computer. The police also seized several electronic items from the suspect as part of their investigation.
“Cyber criminality is affecting more and more business around the world and we continue to work with our partners to thoroughly investigate, often very complex cases,” said Craig Jones, head of the Cyber Crime Unit at SEROCU, in a statement. “We are still at the early stages of the investigation and there is still much work to be done. “We will continue to work closely with our partners to identify those who commit [offenses] and hold them to account.”
Here’s the back story: The database of the company’s Learning Lodge app store, which allows customers to download apps, e-books and learning games, was breached on November 14 HKT (Hong Kong Time). The hack was discovered on November 24 HKT and customers were notified on November 27 HKT.
The company said the attack compromised the profiles of 6.4 million kids around the world, along with 4.9 million parent accounts. “It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge Web site," the company said previously.
VTech makes a wide variety of children's toys, including the VTech My Laptop (pictured). The company's customer database holds a slew of user profile information. The personal identifiers in the database include names, e-mail addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download histories. The database also contains kids’ information, including names, genders and birth dates.
“We are pursuing cybercriminals using the latest technology and working with businesses and academia to further develop specialist investigative capabilities to protect and reduce the risk to the public,” Jones said. “Cybercrime is an issue which has no boundaries and affects people on a local, regional and global level.”
Consumers Are Unaware
We caught up with Tim Erlin, director of IT risk and security strategy for advanced threat detection firm Tripwire, to get his thoughts on the news. He told us the alleged VTech hacker initially claimed he perpetrated the breach to showcase vulnerabilities in the company's products.
“We don't know if this is really the case, but publishing personal information to prove a point is rarely well received. Good intentions can still result in illegal actions,” Erlin said.
However, this incident is about more than the Internet of Things, toys or security vulnerabilities. "It's shedding light on the vast amount of personal data that is collected and stored by a variety of consumer companies," Erlin said. "Consumers are typically unaware of how much of their data is collected or used, and how this data can affect their privacy."