VTech Data Breach Affects Nearly 5 Million Customers
Last Friday, VTech announced that an unauthorized party accessed the customer data held on its Learning Lodge app store database on November 14, 2015. According to Have I Been Pwned, a company that tracks online data breaches, this is the fourth largest consumer data breach to date.
VTech is a Chinese company that sells toys and gadgets for kids, and its Learning Lodge app allows customers to download apps, learning games, e-books and other educational content to VTech products.
The database that was compromised holds user profile information such as names, email addresses, encrypted passwords, password retrieval questions and answers, IP addresses, mailing addresses and download histories. In its statement, VTech assured customers that it does not contain any credit card information or personal identification data, such as social security numbers.
“It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.”
According to Motherboard, the breach also included the first names, genders and birth dates of more than 200,000 children.
Motherboard first learned of the incident when the hacker who claimed responsibility contacted them and provided the files containing the sensitive data. Motherboard immediately contacted VTech regarding the incident but did not receive a response for a few days. At that time, VTech said they did not know about the breach until Motherboard brought it to their attention.
“On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database,” Grace Pang, a VTech spokesperson, told Motherboard in an email. “We were not aware of this unauthorized access until you alerted us.”
The company stated that it began an investigation as soon as the breach was discovered and took measures to protect against further attacks.
At this time, the alleged hacker has told Motherboard he has done nothing with the data.