VTech restores online functions following hack

, News
25 Jan, 2016

Hacked toy firm reopens online portal, but some of its devices remain offline

25/01/2016: Children’s toy manufacturer VTech has restored “key functions” of a connected product it took offline after a hack in November 2015.

The Learning Lodge is VTech’s online distribution portal, and allows customers to download games, ebooks and other content to their VTech toys.

Customers can now login to their existing accounts and manage their devices once again after a hack last November destroyed the funtionality of some key features, while cybercriminals managed to steal 6.4 million children's details.

Account management features are back online, but other features remain disconnected. VTech’s InnoTV, InnoTab Max and some of its older generation products, like the Secret Safe Diary Selfie and Sleep Musical Sheep, are excluded from the restoration.

VTech chairman and group chief executive, Allan Wong, said in a statement: “After the cyber-attack, we have focused on further strengthening security around user registration information and other services within Learning Lodge. A full list of the products and their current support status can be viewed on the Learning Lodge website.

“With the key services now resumed, we strongly suggest that our existing customers log into Learning Lodge as soon as they can and change their passwords.

“We apologise that there are still some Learning Lodge services that remain unavailable at this time. We continue to work very hard towards reopening them as soon as possible.”

A man was arrested in Berkshire in connection to the VTech hack in December. The hacker allegedly responsible also claimed he attacked the company to highlight its security vulnerabilities.

15/12/2015: A man has been arrested in Berkshire in connection with the investigation into the hacking of electronic toy firm VTech.

The 21-year-old has been held on suspicion of "unauthorised access" to a computer, according to a statement by the South East Regional Organised Crime Unit (Serocu).

A number of electronic items were seized to be examined by Serocu's Cyber Crime eForensics Unit.

Craig Jones, Head of the Cyber Crime Unit at Serocu, said: “Cyber criminality is affecting more and more business around the world and we continue to work with our partners to thoroughly investigate, often very complex cases.

“We are still at the early stages of the investigation and there is still much work to be done. We will continue to work closely with our partners to identify those who commit offences and hold them to account.

“We are pursuing cyber criminals using the latest technology and working with businesses and academia to further develop specialist investigative capabilities to protect and reduce the risk to the public."

Toy maker Vtech has revealed its app store database has been hacked, exposing details of 4.8 million customers, including 200,000 children, making it one of the biggest consumer data breaches ever.

This not only included names, addresses and other personal data, but new information has revealed photos and chat logs between parents and their children was also accessed, raising even more concern from customers and security experts.

Hackers responsible for the attack said told Motherboard they were able to take the data from Vtech's Kid Connect service, which allows parents and their children to converse via a Vtech tablet.

”Frankly, it makes me sick that I was able to get all this stuff,” the hacker told the website. ”Vtech should have the book thrown at them.”

Security experts have also voiced their surprise that the hackers were able to access the potentially dangerous data so easily.

"This breach is unlike any others we’ve seen and it raises a number of different issues due to the nature of the victims," Ross Brewer, vice president and managing director for international markets at LogRhythm said. "In an adult world, this would be the equivalent of a hacker accessing and stealing your photos and conversations from Facebook."

“The fact that VTech did not take even the simplest steps and encrypt their server renders me speechless. Big breaches at Sony and TalkTalk have made it clear just how easy – and damaging – it is for hackers to exploit a company’s weak point, so it’s more important than ever that businesses show they are going above and beyond to protect the data they are entrusted with – particularly when this data relates to young children," he added.

The toy maker said the breach happened on 14 November, but was not detected until 10 days later. It added it was not sure what data, if any, had been stolen, but said the database does hold information including names, email addresses, encrypted passwords, secret question and answers for password retrieval, IP addresses, mailing addresses and download history.

Vtech reassured customers it does not contain any credit card details or personal identification information such as ID card numbers, social security numbers or driving licence details.

Louise Bulman, VP EMEA at Vormetric commented: "Vtech has joined the increasingly long line of organisations facing a rather bleak end to 2015, as it becomes the latest to suffer a high-profile data breach. What’s most concerning here is the nature of the information stolen – that which relates to children – and the varying reports over the level of encryption around the compromised data."

Vtech's Learning Lodge is a gateway for children and adults to download a variety of content including games and e-books onto their devices, such as first computers and tablets.

Those who use the app store said they were alerted to the data breach via an email from the company.

"Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against further attacks," Vtech said in the customer alert email.

The company has disabled the Learning Lodge website, which displayed the message: "Due to a breach of security on our Learning Lodge website, we have temporarily suspended the site...We apologise for any inconvenience caused."

"The investigation continues as we look at additional ways to strengthen our Learning Lodge database security. We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future," the company added in a statement.

Bulman added that companies should not limit what they encrypt on their servers to just payment information, but it should encompass all details relating to customers.

"The Vtech breach highlights yet again that organisations should be focussing on making sure sensitive data remains protected when (not if) it falls into the wrong hands – and encryption is critical to achieving this. In the past, encryption was deployed to protect only what businesses were forced to protect by compliance requirements.

By ensuring everything is safeguarded from hackers, companies can have the upper hand against criminals and ensure not only their sensitive company-related information is protected, but also their customers can be safe in the knowledge their information is secure too.

"This in turn reduces the damage that hackers can cause, as encryption renders stolen data illegible and virtually useless to them. These days, failing to encrypt data is akin to locking the front door of your home in order to feel secure, but leaving the back door wide open," she said.

This story was originally published on 29/11/15 but has been updated several times (most recently on 25/01/16).