VTech has announced that it has experienced a data breach, which has affected up to five million of its customers.
The specialist electronic toys and technology company revealed that its Learning Lodge website, which has been “temporarily suspended”, was compromised on November 14th.
Learning Lodge, which is similar to app stores like Google Play, is aimed at parents, offering them additional educational content that can be downloaded onto various VTech devices.
The information that is stored on its website includes names, addresses, encrypted passwords, download history and security questions and answers.
However, according to VTech, credit card information belonging to its customers is not stored on Learning Lodge.
“To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway,” the company explained.
“In addition, our customer database does not contain any personal identification data. The investigation continues as we look at additional ways to strengthen our Learning Lodge database security.”
Speaking to the BBC, professor Alan Woodward, a cybersecurity and covert communications expert at Surrey University, said that the data breach was likely achieved through an SQL injection.
He commented that if this found to be the case, then VTech has a lot to answer for as this type of attack – where malicious code is injected into an application to gain access and control of a database – exposes vulnerabilities that shouldn’t really exist.
“These breaches are endemic and we have to stop [them],” he went on to say. “If that means focusing the minds of these companies through big fines then so be it. It needs to be taken seriously and those responsible held to account.”
“These breaches are endemic and we have to stop them.”
ESET UK’s Mark James added “Data breaches of any kind are bad news for all concerned but when minors are involved the potential dangers could be even worse, we all talk about credit card details and often in these case the first thing that’s said is “your financial information is safe” but hold on a sec, all data is private, immediate financial loss from most breaches is quite small, what’s terrifying here is the fact that children’s information has been stolen that could enable a third party to establish a trust relationship that may enable them to converse or even befriend these unsuspecting children.
Birthdays, mummy’s, daddy’s and even grandparents names if used for secret questions and answers could all be used for communication that could establish a conversation trail, or even worse phishing or grooming not to mention the adults info being used for identity theft or credit card fraud, companies need to understand all data is private, they must take better measures to protect our data and not just financial information, VTech must take responsibility for what has happened and notify all the parents involved to explain the possible dangers and what to look out for.”
This consumer data breach is the fourth biggest of all time. The current record sits with Adobe, which was attacked in 2013. Up to 38 million of its customers were affected.
by Narinder Purba