VTech restores online functions following hack

Hacked toy firm reopens online portal, but some of its devices remain offline

25/01/2016: Children's toy manufacturer VTech has restored "key functions" of a connected product it took offline after a hack in November 2015.

The Learning Lodge is VTech's online distribution portal, and allows customers to download games, ebooks and other content to their VTech toys.

Customers can now login to their existing accounts and manage their devices once again after a hack last November destroyed the funtionality of some key features, while cybercriminals managed to steal 6.4 million children's details.

Advertisement - Article continues below

Account management features are back online, but other features remain disconnected. VTech's InnoTV, InnoTab Max and some of its older generation products, like the Secret Safe Diary Selfie and Sleep Musical Sheep, are excluded from the restoration.

VTech chairman and group chief executive, Allan Wong, said in a statement: "After the cyber-attack, we have focused on further strengthening security around user registration information and other services within Learning Lodge. A full list of the products and their current support status can be viewed on the Learning Lodge website.

"With the key services now resumed, we strongly suggest that our existing customers log into Learning Lodge as soon as they can and change their passwords.

"We apologise that there are still some Learning Lodge services that remain unavailable at this time. We continue to work very hard towards reopening them as soon as possible."

Advertisement - Article continues below

A man was arrested in Berkshire in connection to the VTech hack in December. The hacker allegedly responsible also claimed he attacked the company to highlight its security vulnerabilities.

Advertisement - Article continues below

15/12/2015: A man has been arrested in Berkshire in connection with the investigation into the hacking of electronic toy firm VTech.

The 21-year-old has been held on suspicion of "unauthorised access" to a computer, according to a statement by the South East Regional Organised Crime Unit (Serocu).

A number of electronic items were seized to be examined by Serocu's Cyber Crime eForensics Unit.

Craig Jones, Head of the Cyber Crime Unit at Serocu, said: "Cyber criminality is affecting more and more business around the world and we continue to work with our partners to thoroughly investigate, often very complex cases.

"We are still at the early stages of the investigation and there is still much work to be done. We will continue to work closely with our partners to identify those who commit offences and hold them to account.

"We are pursuing cyber criminals using the latest technology and working with businesses and academia to further develop specialist investigative capabilities to protect and reduce the risk to the public."

Advertisement - Article continues below

Toy maker Vtech has revealed its app store database has been hacked, exposing details of 4.8 million customers, including 200,000 children, making it one of the biggest consumer data breaches ever.

This not only included names, addresses and other personal data, but new information has revealed photos and chat logs between parents and their children was also accessed, raising even more concern from customers and security experts.

Hackers responsible for the attack said told Motherboard they were able to take the data from Vtech's Kid Connect service, which allows parents and their children to converse via a Vtech tablet.

"Frankly, it makes me sick that I was able to get all this stuff," the hacker told the website. "Vtech should have the book thrown at them."

Advertisement - Article continues below

Security experts have also voiced their surprise that the hackers were able to access the potentially dangerous data so easily.

"This breach is unlike any others we've seen and it raises a number of different issues due to the nature of the victims," Ross Brewer, vice president and managing director for international markets at LogRhythm said. "In an adult world, this would be the equivalent of a hacker accessing and stealing your photos and conversations from Facebook."

Advertisement - Article continues below

"The fact that VTech did not take even the simplest steps and encrypt their server renders me speechless. Big breaches at Sony and TalkTalk have made it clear just how easy and damaging it is for hackers to exploit a company's weak point, so it's more important than ever that businesses show they are going above and beyond to protect the data they are entrusted with particularly when this data relates to young children," he added.

The toy maker said the breach happened on 14 November, but was not detected until 10 days later. It added it was not sure what data, if any, had been stolen, but said the database does hold information including names, email addresses, encrypted passwords, secret question and answers for password retrieval, IP addresses, mailing addresses and download history.

Vtech reassured customers it does not contain any credit card details or personal identification information such as ID card numbers, social security numbers or driving licence details.

Advertisement - Article continues below

Louise Bulman, VP EMEA at Vormetric commented: "Vtech has joined the increasingly long line of organisations facing a rather bleak end to 2015, as it becomes the latest to suffer a high-profile data breach. What's most concerning here is the nature of the information stolen that which relates to children and the varying reports over the level of encryption around the compromised data."

Advertisement - Article continues below

Vtech's Learning Lodge is a gateway for children and adults to download a variety of content including games and e-books onto their devices, such as first computers and tablets.

Those who use the app store said they were alerted to the data breach via an email from the company.

"Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against further attacks," Vtech said in the customer alert email.

The company has disabled the Learning Lodge website, which displayed the message: "Due to a breach of security on our Learning Lodge website, we have temporarily suspended the site...We apologise for any inconvenience caused."

Advertisement - Article continues below

"The investigation continues as we look at additional ways to strengthen our Learning Lodge database security. We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future," the company added in a statement.

Bulman added that companies should not limit what they encrypt on their servers to just payment information, but it should encompass all details relating to customers.

"The Vtech breach highlights yet again that organisations should be focussing on making sure sensitive data remains protected when (not if) it falls into the wrong hands and encryption is critical to achieving this. In the past, encryption was deployed to protect only what businesses were forced to protect by compliance requirements.

By ensuring everything is safeguarded from hackers, companies can have the upper hand against criminals and ensure not only their sensitive company-related information is protected, but also their customers can be safe in the knowledge their information is secure too.

Advertisement - Article continues below

"This in turn reduces the damage that hackers can cause, as encryption renders stolen data illegible and virtually useless to them. These days, failing to encrypt data is akin to locking the front door of your home in order to feel secure, but leaving the back door wide open," she said.

This story was originally published on 29/11/15 but has been updated several times (most recently on 25/01/16).

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020