U.S. states probe VTech hack, experts warn of more attacks (updated)

VTech Holdings

01/12/2015 05:18

(Adds comment from Hong Kong Privacy Commissioner for Personal 
Data) 
    By Jim Finkle and Clare Baldwin 
    BOSTON/HONG KONG, Dec 1 (Reuters) - U.S. states said they 
will investigate a massive breach at digital toy maker VTech 
Holdings Ltd  0303.HK  as security experts warned that hackers 
are likely to target similar companies that handle customer 
data. 
    Attorneys general in the U.S. states of Connecticut and 
Illinois said on Monday that they would probe the breaches, 
though their representatives declined comment on the focus of 
their inquiries.  urn:newsml:reuters.com:*:nL1N13P1LS 
    The Hong Kong-based toymaker disclosed the attack on Friday, 
saying information about nearly 5 million adults and children 
had been stolen in an attack on a portal used to download games 
to its computer tablets.  urn:newsml:reuters.com:*:nL1N13N00Y 
    Hong Kong Privacy Commissioner for Personal Data Stephen 
Wong said his office had initiated a "compliance check" on VTech 
to see if the company had followed data privacy principles. 
    Technology news site Motherboard reported on Friday that the 
data belonging to some 4.8 million adults and more than 200,000 
children. VTech did not break out the number of children 
affected. 
    Motherboard reported on Monday that the hackers also stole 
photos and chat logs from VTech's Kid Connect service, which 
allows adults to use their smartphones to chat with kids using 
VTech tablet. (http://bit.ly/1XCLIjU) 
    VTech did not respond to requests for comment on the state 
probes or the Motherboard reports, which Reuters could not 
independently verify. Hong Kong's Cyber Security and Technology 
Crime Bureau said it did not receive any report from VTech. 
    Privacy Commissioner Wong also said there is not yet 
"adequate or sufficient information" to say whether children had 
specifically been targeted in the VTech hack.    
    Meanwhile, some experts said that they expect to see more 
breaches involving information collected through digital toys 
and other web-connected devices, a category of products known in 
tech circles as the Internet of Things, or IoT. 
    They said that manufacturers in many industries lack the 
security experience and expertise that the computer industry has 
developed over the surge in Internet use over the past two 
decades.  
    "You have all these devices and services that are connecting 
to the Internet by companies that don't have the experience that 
older software companies do in securing their data," said Katie 
Moussouris, chief policy officer with HackerOne, a "bug bountgy" 
firm that helps businesses work with researchers to find cyber 
bugs. 
    "VTech is a toymaker and I don't expect them to be security 
superstars. They are amateurs in the field of security," said 
Tod Beardsley, security research manager with Rapid7 Inc 
 RPD.O .   
    Toy manufacturers lack rigor in secure software development, 
said Chris Eng, vice president of research at security software 
maker Veracode. They are "inevitably going to fall short on 
security," he said.  
    Larry Salibra, chief executive of bug-testing platform 
provider Pay4Bugs, said that it looks like VTech failed to 
properly secure sensitive data by encrypting it to be difficult 
to unscramble and useless if stolen. 
    Motherboard said it spoke to a hacker who claimed to be 
behind the attack and said he planned to do "nothing" with the 
data.  
    VTech said the breached database included names, email 
addresses, passwords, secret questions and answers for password 
retrieval, IP addresses, mailing addresses, download histories 
and children's names, genders and birth dates.      
    The company said the database did not include credit card 
information, ID card numbers, Social Security numbers or drivers 
licence numbers.  
    VTech shares were trading down 0.17 percent in early 
afternoon at HK$86.75 and are down more than 20 percent this 
year.  
 
 (Reporting by Jim Finkle, Clare Baldwin; Additional reporting 
by Donny Kwok, Anne Marie Roantree and Yimou Lee; Editing by 
Bill Tarrant, Steve Orlofsky and Kavita Chandran) 
 ((clare.baldwin@thomsonreuters.com; +852 2843 6571; Reuters 
Messaging: clare.baldwin.reuters.com@reuters.net)) 
 
Keywords: VTECH CYBERATTACK/