VTech hack: Over one million UK parents and children affected

VTech hack: Over one million UK parents and children affected

Over one million UK parent and child records have been compromised following the cyber attack on the servers of popular toy manufacturer VTech, the firm has admitted.

VTech announced on its FAQ page that 560,487 parent profiles and 727,155 child profiles have been stolen by hackers.

The US is the most affected country, with 2,212,863 parent profiles and 2,894,091 child profiles compromised.

Despite reports that audio files and chat logs were also stolen, VTech said that it cannot comment on the authenticity of the photos and recordings at this time.

“Audio files are encrypted by AES128, whereas chat logs are not encrypted. Our security protocols require that only undelivered messages are stored temporarily in our server. These messages are set to expire in 30 days,” the firm explained.

The ongoing investigation into how the breach occurred has found the company server was breached however according to VTech there is currently “no evidence” to suggest individual toy products are unsafe.

Furthermore, VTech said that there no indication that any of the stolen data has been used or distributed online.

“Whilst all personal customer passwords are encrypted, even encrypted data can be susceptible to skilled hackers,” said the firm.

“We are advising you to immediately change your passwords on any other sites that may use the same email, secret question and answer, and password combination.”

Earlier in the week it was revealed that up to 190GB of private images and a huge cache of personal chat logs between parents and their children were among the data stolen, according to Motherboard.

The data included five million customer records covering names, addresses and passwords alongside roughly 200,000 personal details of children.

The data was stolen from VTech’s Kid Connect service that allows parents to chat with their children using a smartphone linked to a VTech tablet.

“Frankly, it makes me sick that I was able to get all this stuff. VTech should have the book thrown at them,” the apparent hacker told Motherboard.

“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store]. I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames of everyone in their Kid Connect contacts list.”

Furthermore, the hacked server contained numerous audio files and chat logs of conversations between parents and children. “Roses are red vilets [sic] are blue and I love you. Mommy and daddy,” read one of the messages.

The hacker has claimed that he will not release the images or chat logs online or sell them on the dark web.

VTech customer services said in a statement sent to V3: “We would like to offer our sincere apologies regarding this issue and assure you that we are treating the matter extremely seriously.

“We are waiting to be updated from our headquarters in Hong Kong about this issue, and as soon as we have any more information we will keep all of our customers informed. We apologise profusely again for this matter.”

VTech told V3 that the data was “in an encrypted state” and that it has now taken the Learning Lodge system offline to update its security.

“This update will strengthen the platform and protect data further so that problems like this do not arise in the future,” the firm said.

The company, which makes electronic education toys for children, discovered on 14 November that its Learning Lodge portal, used to let customers buy apps, games, e-books and other content for VTech products, had been breached.

“Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks,” VTech said in a statement.

The situation was discovered only after the company was asked by a journalist in Canada on 23 November whether there had been a data breach.

VTech admitted that the breach had left a huge amount of information exposed to the hackers, although one small positive was that financial information was not stolen.

“Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history,” the firm said.

“It is important to note that our customer database does not contain any credit card information, and VTech does not process or store any customer credit card data on the Learning Lodge website.”

Dangerous data theft for parents, and their children
The scale of the hack, and the fact that it includes information on children, has led to an outcry from security experts, who warned that firms still fail to take the safety of customer data seriously.

Security expert Troy Hunt said that the breach was one of the worst to have occurred this year, given that information on children has been stolen. This makes it easy for hackers to identify parents and children.

“When it’s hundreds of thousands of children, including their names, genders and birth dates, that’s off the charts,” he wrote in a blog post.

“When it includes their parents as well, along with their home address, and you can link the two and emphatically say ‘Here is nine-year-old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)’, I start to run out of superlatives to even describe how bad that is.”

James Romer, ‎chief security architect for Europe at SecureAuth, was equally critical of the breach, noting just how widespread the impact could be.

“Children are a valuable target for hackers as they potentially won’t know that their identity has been compromised until they are much older and reliant on credit checks. This kind of breach is simply not acceptable,” he said.

“Organisations, particularly those who hold this kind of information, must invest in advanced security systems alongside adaptive authentication for their users to mitigate the chances of this happening and render any stolen assets worthless.”

Romer added that the hack should be a wake-up call for any organisation that handles personal data to have strong security in place, as any information is a tempting targeting for hackers.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

2 December 2015 | 4:14 pm – Source: v3.co.uk


Leave a Reply

Your email address will not be published.