Data breach at Hong Kong toy maker VTech highlights broader problems

[HONG KONG] The theft of toy maker VTech Holdings Ltd's database highlights a growing problem with basic cyber security measures at small, non-financial companies that handle electronic customer data, industry watchers said on Monday.

The hacked data at VTech included information about customers who download children's games, books and other educational content, the Hong Kong-based toy maker said. The breach also included information relating to children.

As more devices are connected to the Internet and as companies increasingly collect personal information about their customers, such attacks are expected to increase.

"Smaller companies might be targeted less often, but the implications ... can be just as serious," said the chief technology officer of cyber security firm FireEye Bryce Boland. "As larger companies implement stronger security measures, smaller companies become relatively easy targets for cyber crime."

VTech has a market value of HK$21.9 billion ($2.8 billion). Tech giant Apple Inc has a market capitalization of $657 billion.

In VTech's case, information that should have been obscured and unrecoverable if the database were breached - such as passwords and secret answers - either wasn't obscured at all or was done so improperly, said Larry Salibra, founder and chief executive of crowd-sourced bug-testing platform, Pay4Bugs.

Mr Salibra said these types of security measures were basic best practices that don't require a lot of money.

"This seems to be a trend. Hardware manufacturers really don't value software skills - I would imagine because they don't see any immediate positive impact to their bottom line," Mr Salibra said. "Software talent is an easy place to be cheap with minimal consequences until something like this happens."

News site Motherboard reported that data belonging to some 4.8 million parents and more than 200,000 children was taken in the VTech attack. It said that included names, email addresses, passwords and home addresses of parents; as well as first names, genders and birthdays of children.

The site said it had spoken to a hacker who claimed to be behind the attack, who said he planned to do "nothing" with the data. Motherboard's claims could not be independently confirmed.

VTech, which sells children's tablets, electronic learning toys and baby monitors, said the targeted database did not include payment information, credit card information, Social Security numbers or drivers license numbers.

It did not say how many records were stolen.

Vtech said it has taken steps to prevent further attacks but did not provide details.

Vtech's stock has fallen 22 per cent this year.

Shares were suspended on Monday and trade in other Vtech securities has also been suspended, the company said.

REUTERS