VTech confirmed that five million customers were affected by a recent data breach. The company, which sells electronic learning products, recently had its app store database hacked.
The toy maker apologised on Twitter on Monday, adding that it suspended the affected service, called Learning Lodge, and is now notifying its customers.
The hacker was able to access personal information about customers who downloaded games, books and other educational content. They were able to obtain 4.8 million customer email addresses and names, in addition to the gender, first name and birth dates of over 200,000 children.
VTech said that customers were affected all over the world, including those in the UK and the US. The toy maker said that the database was accessed on Nov. 14.
According to Motherboard, the hacker said that the information was obtained by a SQL injection vulnerability. “It was pretty easy to dump, so someone with darker motives could easily get it,” the hacker said in an encrypted chat.
In an email to customers, the company said: “Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against further attacks.”
The company said it was “important to note that our customer database does not contain any credit card or banking information” nor social security numbers.”
The data breach is the latest in a string of similar cases and highlights the need for companies to ensure that all personal data stored is kept safe and secure.
Microsoft developer and security specialist Troy Hunt said: “When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts,”
He added: “When it includes their parents as well – along with their home address – and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)’, I start to run out of superlatives to even describe how bad that is.”
“Taking security seriously is something you need to do before a data breach”
Hunt carried out an analysis and found that VTech didn’t appear to be using SSL web encryption and data such as passwords were completely unprotected – SSL encrypts data sent between a user’s computer and a service.
He added: “Taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people,”
Tod Beardsley, security engineering manager at internet security firm Rapid7, was quoted by the BBC as saying: “The Vtech breach illustrates one of the major issues facing us today,”
“With the Internet of Things, companies of all sorts are rapidly morphing into information technology companies, but without the hard-won security learnings that traditional infotech companies now enjoy.
“It’s tough to be both a toy manufacturer and a mature technology company with a robust security program.
“This is not just a challenge for companies that are just now entering tech, but a challenge for the security industry to communicate effectively, and quickly, to these companies who haven’t yet earned their security stripes the hard way.”