Data breach at Hong Kong toy maker VTech highlights broader problems

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.reuters.com/article/2015/11/30/us-vtech-cyberattack-idUSKBN0TJ0B620151130#VX6VeeAgoeFKzXTI.97

The theft of toy maker VTech Holdings Ltd's database highlights a growing
problem with basic cyber security measures at small, non-financial
companies that handle electronic customer data, industry watchers said on
Monday.

The hacked data at VTech included information about customers who download
children's games, books and other educational content, the Hong Kong-based
toy maker said. The breach also included information relating to children.

As more devices are connected to the Internet and as companies increasingly
collect personal information about their customers, such attacks are
expected to increase.

"Smaller companies might be targeted less often, but the implications ...
can be just as serious," said Bryce Boland, Asia Pacific chief technology
officer of cyber security firm FireEye. "As larger companies implement
stronger security measures, smaller companies become relatively easy
targets for cyber crime."

VTech has a market value of HK$21.9 billion ($2.8 billion). Tech giant
Apple Inc has a market capitalization of $657 billion.

In VTech's case, information that should have been obscured and
unrecoverable if the database were breached - such as passwords and secret
answers - either wasn't obscured at all or was done so improperly, said
Larry Salibra, founder and chief executive of crowd-sourced bug-testing
platform, Pay4Bugs.

Salibra said these types of security measures were basic best practices
that don't require a lot of money. "This seems to be a trend. Hardware
manufacturers really don't value software skills - I would imagine because
they don't see any immediate positive impact to their bottom line," Salibra
said.

"Software talent is an easy place to be cheap with minimal consequences
until something like this happens."

VTech said in a statement that about 5 million customer accounts and
related children's' profiles worldwide were affected. It did not break out
how many profiles belonged to parents and how many to children. News site
Motherboard reported that data belonging to some 4.8 million parents and
more than 200,000 children was taken.

The site said it had spoken to a hacker who claimed to be behind the
attack, who said he planned to do "nothing" with the data. Motherboard's
report could not be independently confirmed.

VTech said the breached database included names, email addresses,
passwords, secret questions and answers for password retrieval, IP
addresses, mailing addresses, download histories and children's names,
genders and birth dates.

The company, which sells children's tablets, electronic learning toys and
baby monitors, said the targeted database did not include credit card
information, ID card numbers, Social Security numbers or drivers licence
numbers.

Vtech said it has taken steps to prevent further attacks but did not
provide details. It said it has emailed every account holder.

Vtech's stock has fallen 22 percent this year. Shares and trade in other
VTech securities were suspended on Monday morning.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!