VTech Hires Cyber Security Firm After Hack, Lawmakers Want Answers

VTech hired a company to help it with cyber security after a hacker gained access to the toy maker’s customer database — and private information about millions of adults and children.

The Hong Kong-based company announced Thursday that a team from FireEye is helping it with the fallout from the massive data breach, one of the largest documented consumer hacks.

VTech said in a news release that the United States-based company is helping it beef up its security after a November cyber attack in which a hacker accessed the manufacturer’s Learning Lodge portal, which allows customers to download a variety of content to VTech’s digital toys.

The company has said the data included information like email addresses and passwords but not credit card or social security numbers. The hacker who claimed responsibility for the attack has told Motherboard he also accessed pictures of children and logs of private chats between kids and their parents. Those were originally sent through a VTech service called Kid Connect, which allowed smartphone-using parents to exchange messages with children using VTech tablets.

The hacker has told Motherboard he has no plans to release the data.

VTech said about 4.8 million parents and 6.3 million children were affected by the hack. About 2.2 million parent accounts and 2.9 million child profiles are based in the United States, it said.

The company has suspended Learning Lodge and Kid Connect and several other websites in a precautionary measure, it said. VTech adds that it has reviewed the websites and taken steps to safeguard against future attacks, and hiring FireEye appears to be another one of those actions.

“We are deeply shocked by this orchestrated and sophisticated attack on our network. We regret that users of Learning Lodge, Kid Connect and PlanetVTech, some of whom are colleagues, friends and families, are also affected,” VTech Chairman and Group CEO Allan Wong said in a statement that accompanied the announcement. “We would like to offer our sincere apologies for any worry caused by this incident. We are taking all necessary steps to ensure that our users can continue to enjoy our products and services, safe in the knowledge that their data is secure.”

VTech said FireEye’s team will lead a forensic investigation into the attack and help review its customer data security protocols. The toy maker also it is “cooperating with law enforcement worldwide to investigate the incident,” but did not mention any specific agency’s involvement.

On Wednesday, two United States lawmakers wrote VTech and inquired about the kind of information it collects from children and how the toy manufacturer safeguards that data.

Specifically, Sen. Edward Markey (D.-Mass.) and Congressman Joe Barton (R.-Texas) want to know how VTech complies with the Children’s Online Privacy Protection Act, which governs the data websites can collect from children less than 13 years old.

PC Magazine reported the VTech hack was the fourth largest breach of consumer data.

Children among 5 million affected by VTech hack

Hackers gained access to the private information of about 5 million adults and children who used VTech toys, and some security experts warn that similar data breaches could follow.

The Hong Kong-based digital toy manufacturer announced the massive data breach in a news release on Friday, saying a hacker compromised the company’s Learning Lodge earlier this month. The Learning Lodge is a portal that customers use to download content to VTech toys.

The hackers gained access to VTech’s customer database, which the company said includes information like email addresses and passwords but not social security or credit card numbers.

PC Magazine reported the hack was the fourth largest breach of consumer data on record.

The online technology magazine Motherboard reported on Monday that it spoke to the hacker behind the breach. The hacker claimed he also accessed photographs of children and transcripts of conversations between parents and their kids, some of which dated back to last November.

That data was reportedly sent through VTech’s Kid Connect service, a channel through which adults with smartphones and children with VTech tablets can exchange text and audio messages.

The hacker told Motherboard he didn’t intend to publish or release any of the data he obtained.

VTech said it investigated the breach and implemented steps to combat further attacks. Attorney generals from Connecticut and Illinois said they will also investigate, Reuters reported Monday.

The Reuters report quoted cyber security experts who cautioned that additional breaches like this one are possible. While many digital toys collect data, the experts told Reuters that toy makers don’t necessarily have the same security background as others in the tech industry.

“VTech is a toymaker and I don’t expect them to be security superstars,” Tod Beardsley, the security research manager at the cyber security company Rapid7 Inc., told Reuters. “They are amateurs in the field of security.”

Hong Kong’s Office of the Privacy Commissioner for Personal Data began a “compliance check” on VTech on Tuesday, according to a news release. The inquiry will examine if VTech did enough to safeguard the data before it was breached, as well as the corrective measures it implemented.