VTech Cyber Attack Exposes Data of Over 6 Million Families


VTech Holdings Ltd., a digital toy and gadget maker based in Hong Kong, has hired Mandiant, a forensics unit of FireEye Inc., to help the company strengthen the security of its systems after information on 6.4 million children was hacked, according to Reuters. Mandiant also assists victims of cyber attacks discover the magnitude of the hack, to put their networks in order, and to restore their systems.

The cyber attack took place last week, and VTech said law enforcement across the globe was investigating. Mandiant is also studying how customer information is handled at VTech and how the security of its data can be strengthened. Mandiant managed breaches made on Target Corp. during the 2013 holiday event and Sony Pictures Entertainment’s attack last year.

US legislators have asked VTech why they collect data from children and in what way the information is secured. So far, two US states are investigating the attack, and the FBI declined to comment on whether they were involved in investigating the breach.

In the UK, the Information Commission’s Office (ICO), the country’s national data regulators, is also examining the attack. The cyber crime unit of Britain’s National Crime Agency would not comment on whether they were assisting in the investigations.

There were 6.4 million children and 4.9 million adults affected by the attack, nearly 5 million of whom live in Europe, including 2.8 million children, said VTech. The offense also touched a significant number of individuals in France, Germany, Spain, Belgium and the Netherlands.

Tech researchers have pinpointed the flaws in the security of VTech’s InnoTab Max tablet for children, writes Brian Mastroianni of CBS News. On Wednesday, Pen Test Partners released the tablet’s security flaws. If a tablet is lost, re-sold, or stolen the information on the tablet such as PINs, email addresses, passwords, and other data could be extracted from the device.

Researchers at Pen Test Partners published a blog about the VTech flaws. Concerning one of the errors, the researchers said:

“This bug has been known about for well over 2 years,” the researchers wrote. “It’s a bit lame of VTech to continue shopping vulnerable tablets, tablets that expose children’s data.”

The second security flaw was a microSD card glued to the tablet’s motherboard which took only seconds to remove. Sensitive data could be extracted from the removable SD. The issue that makes this breach different is that it was children’s personal data that was exposed, according to Ryan Kalember, SVP of Cybersecurity Strategy at Proofpoint.

The breach is a wake-up call for parents who may not be aware that digital products for kids have weaker security systems than other tech products — a fact that could have a detrimental effect on a booming industry. The UK’s Juniper Research explains that shipments of children’s tech equipment that connects to the internet will grow 200% over the next five years, say Jim Finkle and Jeremy Wagstaff of Reuters.

Juniper Research adds that toys that gather personal information from users will grow by 58% each year. Such toys as Hello Barbie and even baby monitors have been found to have multiple vulnerabilities.

On some underground markets, children’s names, birth dates, email addresses, and Social Security numbers are worth $30 to $40 because children have perfectly clean credit records. The price for the same data on adults is only $20, says Tom Kellermann, chief cybersecurity officer with Trend Micro Inc.

Blogger Troy Hunt told CNN that the hackers pulled children’s photos, chat logs, and other personal data. He added that the systems were so compromised that “deeply personal information easy very easy to see.”

On Monday, VTech suspended 13 of its websites and notified those customers who had been affected. The company stated that no credit card information was taken and measures had been taken to defend against any further breaches.