Watch out – there’s a Stealing Santa about!

Stealing SantaAt this time of year parents all over the world are busy working out what the latest electronic gadget they need to buy for their children before the Christmas rush makes these highly-prized toys out of stock. One of the biggest manufacturers is Chinese consumer giant VTECH that owns the Learning Lodge app store.

But this story doesn’t have a happy ending.

The customers’ secrets stored on the company’s data base have been hacked and according to security experts this amounts to 4.8m unique customer email addresses as well as names and download history.

According to reports, the company database was compromised on 14 November but it took a good 10 days before HKT (the owners of VTech) notified its customers.

Dear Valued Customer,

On November 24 HKT we discovered that an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database on November 14 HKT. Our records show that you are a customer of the Learning Lodge.

Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

It is important to note that our customer database does not contain any credit card or banking information. VTech does not process or store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.

In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).

Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks. Our investigation continues as we look at additional ways to strengthen our Learning Lodge database security.

Yours sincerely,

King F. Pang
Group President
VTech Holdings Limited

Not everyone is convinced that these assurances mean a great deal and according to Professor Alan Woodward, cyber security expert at Surrey University, it looks like the company may have been subjected to a simple hacking technique known as an SQL injection.

“If that’s the case then it really is unforgivable – it is such an old attack that any standard security testing should look for it,” he said.

“If initial reports are correct then they should be taking their website connection to their databases offline immediately until they can discover how this was done and correct the issue. They also need to be alerting the parents as soon as possible, with particular emphasis on how their children might be approached using this type of data.”

Under the forthcoming EU General Data Protection Regulation (GDPR), VTech would be in line for a significant fine for not adhering to required data protection and privacy standards as well as for every personal data breach – which could result in a fine between 2-5% of global turnover or €100m.

Professor Alan Woodward added: “These breaches are endemic. If that means focusing the minds of these companies through big fines then so be it. It needs to be taken seriously and those responsible held to account.”

Another security expert, Troy Hunt, said he was extremely concerned by the breach.

“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)’, I start to run out of superlatives to even describe how bad that is.”


Leave a reply