VTech has announced that it has experienced a data breach, which has affected up to five million of its customers.
The specialist electronic toys and technology company revealed that its Learning Lodge website, which has been “temporarily suspended”, was compromised on November 14th.
Learning Lodge, which is similar to app stores like Google Play, is aimed at parents, offering them additional educational content that can be downloaded onto various VTech devices.
The information that is stored on its website includes names, addresses, encrypted passwords, download history and security questions and answers.
However, according to VTech, credit card information belonging to its customers is not stored on Learning Lodge.
“To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway,” the company explained.
“In addition, our customer database does not contain any personal identification data. The investigation continues as we look at additional ways to strengthen our Learning Lodge database security.”
Speaking to the BBC, professor Alan Woodward, a cybersecurity and covert communications expert at Surrey University, said that the data breach was likely achieved through an SQL injection.
He commented that if this found to be the case, then VTech has a lot to answer for as this type of attack – where malicious code is injected into an application to gain access and control of a database – exposes vulnerabilities that shouldn’t really exist.
"These breaches are endemic and we have to stop [them],” he went on to say. “If that means focusing the minds of these companies through big fines then so be it. It needs to be taken seriously and those responsible held to account.”
"These breaches are endemic and we have to stop them."
While this consumer data breach is by no means the largest, the fact that information about so many children was exposed makes it particularly troubling. This is likely to bring extra scrutiny to VTech as the incident is investigated.
According to ESET security researcher Stephen Cobb, this large-scale exposure of digital device user information via an insecure customer portal is a timely reminder to companies in the consumer IoT space to take security seriously across all levels of the organization.
Mr. Cobb said: "You might have developed a secure device, but if you don't adequately protect personal information about users of that device you still risk reputational damage, lawsuits, and even fines in the event of a breach."