VTech data breach: Will the company have to revise its security priorities?

The technology company's 'Learning Lodge' app store was compromised to reveal data on children and parents who use the site. The company is making every effort it can to rectify the situation, but there are still steps to be taken. 

REUTERS/Tyrone Siu
VTech's products are seen on display at a toy store in Hong Kong, China November 30, 2015. Shares of electronic toy maker VTech Holdings Ltd were suspended from trade on Monday after customer data was stolen in a cyber attack, sparking concern over the loss of information relating to children.

On Black Friday, the technology-reporting website Motherboard reported that Hong Kong electronics maker VTech was targeted by hackers. Data compromised in the hack included the personal information of nearly five million people, many of them children.

VTech runs an online store called the “Learning Lodge” that sells apps, e-books, and other content for its suite of educational tablets and devices.

A hacker interviewed by Motherboard’s Lorenzo Franceschi-Bicchierai said that they used a "SQL injection" attack, a simple and extremely common hacking technique in which hackers enter commands into website forms in order to make websites serve desirable data. Such attacks are easy to defend against, but VTech did not have the proper protocols to do so.

“It was pretty easy to dump, so someone with darker motives could easily get [the information from VTech],” the hacker told Motherboard in an encrypted chat.

The information that the hackers uncovered included children’s photos and chat logs. It also revealed parents’ names and addresses, security questions, and passwords. VTech has said that credit card information, Social Security numbers, and driver's’ license numbers are not stored either in the Learning Lodge or in their customer database, and have not been affected by the breach.

VTech said that they were not made aware of the security breach until Motherboard notified them on November 24th. The company has since moved to try and rectify the situation.

The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong is running a compliance check on the company to make sure that they are handling consumer data in line with standard protocols. 

“PCPD has decided to commence a compliance check against VTech with an aim of finding out whether VTech had taken appropriate steps to safeguard personal data before the leakage; and what remedial actions are adopted thereafter to avoid the occurrence of similar incidents,” Mr. Stephen Wong,  Privacy Commissioner for Personal Data, said in a statement.

Other companies who suffered data breaches have also been forced to reaffirm, or even revise, their security priorities to mitigate customers' fears. When Target was hacked in 2013, compromising the credit card data of some 40 million of its customers, the company chose to focus on the trust and loyalty that its customers, or "guests," had shown it in the past.

"We understand that a situation like this creates stress and anxiety about the safety of your payment card data at Target," then-CEO Gregg Steinhafel said in a statement. "Our brand has been built on a 50-year foundation of trust with our guests, and we want to assure you that the cause of this issue has been addressed and you can shop with confidence at Target."

What’s unusual about this breach is that, according to Motherboard, the hackers do not appear have malicious purposes for the information they obtained: unlike in other recent data breaches, they decided not to sell the information they collected for a profit online.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.