Toymaker VTech data hack: Parents and kids affected?

30 Nov 2015

VTech toy, via YouTube

VTech, a major Hong Kong-based toymaker, has been hit with a major security breach, with personal details of up to 5m customers hit.

VTech’s customer data housed on its Learning Lodge app store database was hacked two weeks ago.

Learning Lodge is VTech’s service that lets customers download apps, games, e-books and other complementary products for their VTech products.

This case is particularly disturbing in that, among the millions of potentially affected customers, children’s information may have been accessed too.

According to Motherboard, which claims to have alerted VTech to the breach in the first place, the data dump of the hacked information includes information on 4.8m parents who purchased products by VTech, and names, genders and birthdays for more than 200,000 kids.

While VTech claims that credit card and payment information was not part of the information leaked, what was included should be enough to worry customers greatly.

“Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history,” said the company in a statement.

This kind of information means that hackers could, quite conceivably, correlate parents with children, addresses with habits, and it’s something not lost on security expert Troy Hunter.

Off the charts

“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts,” he said.

“When it includes their parents as well – along with their home address – and you can link the two and emphatically say ‘Here is nine-year-old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)’, I start to run out of superlatives to even describe how bad that is.”

It has been a troubling month for toy manufacturers, actually, with the new Hello Barbie doll coming under fire in the US. The AI-infused doll can record what users say and store the information in the cloud.

However, this isn’t too secure either, apparently, with NBC allegedly hacking the device pretty easily.

There is a grey area here, it seems, with the manufacturer maintaining that all information attained is relatively useless but, as David Bisson notes, remarkably similar scenarios affecting smart TVs recently didn’t go down well with consumers.

When those consumers, then, are purchasing – and relying on the safety of – gifts for children, you get the impression the fallout could be at least as significant.

Gordon Hunt was a journalist with Silicon Republic