Have any questions? Just call us at 1.866.900.4236

VTech Data Breach: 5 million records, including Photos of Children

Yesterday, Hong Kong based toymaker VTech (VTech Holding Limited) announced a data  breach of approximately 5 million customer records and related kids profiles worldwide were affected by this data breach. VTech's online portal more commonly known as Learning Lodge, allows parents to register accounts for themselves and their children. This allows parents to download apps and other VTech related electronic content. A hacker that has leaked the content of this data breach revealed he has no plans to do anything with the stolen data. So what type of information was stolen?

According to the FAQ page, in the United States alone 2,212,863 parent accounts and 2,894,091 child profile accounts were compromised.

Profile information such as: customer names, email addresses, passwords, secret questions and answers (used for password retrieval), IP addresses, residential address, and purchase/download history. The database also contains children's information such as names, date of birth, and gender. The Kid Connect service, which allows parents to communicate with their children was also hacked in this data breach. Chat logs and pictures of children and parents were also leaked online. The hacker shared approximately 3,800 images of children to validate his claim, but stated he did not have any intention to publish or sell this information. VTech stated that the customer database that was leaked online did not contain credit card information, or personal identifiable information, such as driver's license/ID numbers, social security numbers, etc. VTech has also temporarily suspended its Learning Lodge portal for "security assessment and fortification".

At the time of this blog post, the VTech press release makes no mention an external entity, such as the appropriate law enforcement or legal entity, nor does it mention hiring an outside forensic consulting firm to complete a thorough investigation.  It would appear VTech is conducting its own internal investigation.

So what can you do if you were one of the millions affected by this data breach? First, you should change your password immediately and change your password retrieval information (security questions and answers). First, there is a free website that allows users to check to see if your email address is listed in any of the many data breaches consolidated into this website. This data breach is yet another revelation that "if you collect it, you must protect it". Just with previous over/under reported data breaches criminals will use this database to launch additional attacks, such as email phishing campaigns against victims. Yesterday, we provided some consumer tips that are also helpful in protecting yourself online.  With the state of the Internet today, one does not need to have his/her personal identifiable information stolen to be identified. Metadata, such as email addresses, IP addresses, and usernames can personally identify individuals. The attackers are aware of this information and use stolen/leaked data in these breaches as "intel" for carrying out targeted attacks. This data breach is a reminder of how important it is to protect children's personal information. While this data may be not be as a valuable today, but when he/she is old enough to get a driver's license, or open up a credit card account now this leaked information becomes extremely useful to a cyber criminal.

VTech Press Release

VTech FAQ regarding data breach

Email Inquiry Contacts

•US: vtechkids@vtechkids.com •Canada: toys@vtechcanada.com •France: explora_park@vtech.com •Germany: downloadmanager@vtech.de •Netherlands: exp@vtech.com •Spain: informacion@vtech.com •UK: consumer_services@vtech.com •Australia and New Zealand: enquiriestoys_aunz@vtech.com •Hong Kong: corporate_mail@vtech.com •Other countries and regions: corporate_mail@vtech.com

The Internet Crime Complaint Center (IC3) provides valuable tips for protecting yourself and identity before conducting business or online transactions: http://www.ic3.gov/preventiontips.aspx  If you feel you have fallen victim to a data breach or cyber attack we can help. Give us a call (866)900-4236 or visit our Contact Us page. One of our Kemper Consultants will follow-up with you promptly. Have a question? Leave us a comment or send us a Tweet @KemperForensics


No Comments Yet.

Leave a Reply