Probe into breach at digital toymaker

Details of 5 million adults, children stolen; experts say more hacks of similar firms likely

VTech Kidizoom Smartwatches are seen on display at a toy store in Hong Kong on Nov 30.
VTech Kidizoom Smartwatches are seen on display at a toy store in Hong Kong on Nov 30.PHOTO: REUTERS

BOSTON/HONG KONG • Some state authorities in the US say they will investigate a massive breach at digital toymaker VTech Holdings, as security experts warn that hackers are likely to target similar companies that handle customer data.

The Connecticut and Illinois attorneys-general on Monday said they would probe the breaches, though their representatives declined comment on the focus of their inquiries.

The Hong Kong-based toymaker disclosed the attack last Friday, saying information about nearly five million adults and children had been stolen in an attack on its Learning Lodge database.

Learning Lodge is an online store for VTech devices where users can download apps, games, e-books, videos and music, all geared towards children. Hackers were able to retrieve adults' profile information, including names, e-mail addresses and passwords.

They also obtained secret questions and answers for password retrieval, IP addresses, mailing addresses and download histories. The compromised database also contained the names, gender and birth dates of children.

Motherboard on Monday said the hackers also stole photos and chat logs from VTech's Kid Connect service, which allows adults to use their smartphones to chat with kids using VTech tablets.

Hong Kong Privacy Commissioner for Personal Data Stephen Wong said his office had initiated a "compliance check" to see if VTech had followed data privacy principles.

Some experts say they expect to see more breaches involving data collected through digital toys and other Web-connected devices, a category of products known as the Internet of Things.

"You have all these devices and services that are connecting to the Internet by companies that don't have the experience that older software companies do in securing their data," said Ms Katie Moussouris, chief policy officer with HackerOne, which helps businesses find cyber bugs.

Activist group Campaign for a Commercial-Free Childhood has raised the privacy risks of the high- tech "Hello Barbie" doll unveiled earlier this year by toy giant Mattel.

It allows children to speak and get a response from their favourite toy. The conversations travel over Wi-Fi networks to Internet "cloud" servers that use artificial intelligence to deliver a personal reply.

But ToyTalk, Mattel's technology partner, in a blog post last week pointed to the "many safety features that have been integrated" into the design of Hello Barbie.

"We are not aware of anyone who has been able to access your Wi-Fi passwords or your kid's audio data," the firm said.


A version of this article appeared in the print edition of The Straits Times on December 02, 2015, with the headline 'Probe into breach at digital toymaker'. Print Edition | Subscribe