Data breach at HK toy maker VTech highlights broader problems (updated)

VTech Holdings

30/11/2015 05:10

* Data belonging to 4.8 million parents reportedly stolen 
    * Hacking raises concerns over security at smaller companies 
    * Smaller firms relatively easy targets for cyber crime - 
expert 
 
 (Adds comments from cyber security experts) 
    By Clare Baldwin and Donny Kwok 
    HONG KONG, Nov 30 (Reuters) - The theft of toy maker VTech 
Holdings Ltd's  0303.HK  database highlights a growing problem 
with basic cyber security measures at small, non-financial 
companies that handle electronic customer data, industry 
watchers said on Monday. 
    The hacked data at VTech included information about 
customers who download children's games, books and other 
educational content, the Hong Kong-based toy maker said. The 
breach also included information relating to children. 
 urn:newsml:reuters.com:*:nL1N13N00Y 
    As more devices are connected to the Internet and as 
companies increasingly collect personal information about their 
customers, such attacks are expected to increase. 
    "Smaller companies might be targeted less often, but the 
implications ... can be just as serious," said the chief 
technology officer of cyber security firm FireEye Bryce Boland.  
"As larger companies implement stronger security measures, 
smaller companies become relatively easy targets for cyber 
crime."       
    VTech has a market value of HK$21.9 billion ($2.8 billion). 
Tech giant Apple Inc  AAPL.O  has a market capitalization of 
$657 billion.   
    In VTech's case, information that should have been obscured 
and unrecoverable if the database were breached - such as 
passwords and secret answers - either wasn't obscured at all or 
was done so improperly, said Larry Salibra, founder and chief 
executive of crowd-sourced bug-testing platform, Pay4Bugs.     
    Salibra said these types of security measures were basic 
best practices that don't require a lot of money. "This seems to 
be a trend. Hardware manufacturers really don't value software 
skills - I would imagine because they don't see any immediate 
positive impact to their bottom line," Salibra said. 
    "Software talent is an easy place to be cheap with minimal 
consequences until something like this happens."  
    News site Motherboard reported that data belonging to some 
4.8 million parents and more than 200,000 children was taken in 
the VTech attack. It said that included names, email addresses, 
passwords and home addresses of parents; as well as first names, 
genders and birthdays of children. (http://bit.ly/1kYba7r) 
    The site said it had spoken to a hacker who claimed to be 
behind the attack, who said he planned to do "nothing" with the 
data. Motherboard's claims could not be independently confirmed. 
    VTech, which sells children's tablets, electronic learning 
toys and baby monitors, said the targeted database did not 
include payment information, credit card information, Social 
Security numbers or drivers license numbers. 
    It did not say how many records were stolen.  
    Vtech said it has taken steps to prevent further attacks but 
did not provide details. 
    Vtech's stock has fallen 22 percent this year. Shares were 
suspended on Monday and trade in other Vtech securities has also 
been suspended, the company said. 
    ($1 = 7.7500 Hong Kong dollars) 
 
 (Reporting by Clare Baldwin and Donny Kwok; Additional 
reporting by Yimou Lee and Stella Tsang; Editing by Anne Marie 
Roantree and Bill Tarrant.) 
 ((donny.kwok@thomsonreuters.com; +852 2843 6470; Reuters 
Messaging: donny.kwok.reuters.com@reuters.net)) 
 
Keywords: VTECH CYBERATTACK/