VTech data breach: Will the company have to revise its security priorities?

The technology company's 'Learning Lodge' app store was compromised to reveal data on children and parents who use the site. The company is making every effort it can to rectify the situation, but there are still steps to be taken. 

VTech's products are seen on display at a toy store in Hong Kong, China November 30, 2015. Shares of electronic toy maker VTech Holdings Ltd were suspended from trade on Monday after customer data was stolen in a cyber attack, sparking concern over the loss of information relating to children.

REUTERS/Tyrone Siu

December 1, 2015

On Black Friday, the technology-reporting website Motherboard reported that Hong Kong electronics maker VTech was targeted by hackers. Data compromised in the hack included the personal information of nearly five million people, many of them children.

VTech runs an online store called the “Learning Lodge” that sells apps, e-books, and other content for its suite of educational tablets and devices.

A hacker interviewed by Motherboard’s Lorenzo Franceschi-Bicchierai said that they used a "SQL injection" attack, a simple and extremely common hacking technique in which hackers enter commands into website forms in order to make websites serve desirable data. Such attacks are easy to defend against, but VTech did not have the proper protocols to do so.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

“It was pretty easy to dump, so someone with darker motives could easily get [the information from VTech],” the hacker told Motherboard in an encrypted chat.

The information that the hackers uncovered included children’s photos and chat logs. It also revealed parents’ names and addresses, security questions, and passwords. VTech has said that credit card information, Social Security numbers, and driver's’ license numbers are not stored either in the Learning Lodge or in their customer database, and have not been affected by the breach.

VTech said that they were not made aware of the security breach until Motherboard notified them on November 24th. The company has since moved to try and rectify the situation.

The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong is running a compliance check on the company to make sure that they are handling consumer data in line with standard protocols. 

“PCPD has decided to commence a compliance check against VTech with an aim of finding out whether VTech had taken appropriate steps to safeguard personal data before the leakage; and what remedial actions are adopted thereafter to avoid the occurrence of similar incidents,” Mr. Stephen Wong,  Privacy Commissioner for Personal Data, said in a statement.

Other companies who suffered data breaches have also been forced to reaffirm, or even revise, their security priorities to mitigate customers' fears. When Target was hacked in 2013, compromising the credit card data of some 40 million of its customers, the company chose to focus on the trust and loyalty that its customers, or "guests," had shown it in the past.

"We understand that a situation like this creates stress and anxiety about the safety of your payment card data at Target," then-CEO Gregg Steinhafel said in a statement. "Our brand has been built on a 50-year foundation of trust with our guests, and we want to assure you that the cause of this issue has been addressed and you can shop with confidence at Target."

What’s unusual about this breach is that, according to Motherboard, the hackers do not appear have malicious purposes for the information they obtained: unlike in other recent data breaches, they decided not to sell the information they collected for a profit online.