VTech sells popular toys for very young children, including smartwatches and tablets. The November breach of several company databases exposed information about roughly 5 million adults and more than 6 million children around the world, including names, genders and birthdates. Tech site Motherboard reported that some pictures, chat logs between parents and their kids, and even audio recordings were also leaked, but the company has said it “cannot confirm” that data was reached by the hacker.
VTech’s systems were reportedly vulnerable to a well-known hacking technique. The alleged hacker told Motherboard he attacked the company and then went to the press to highlight its poor security practices. The incident raised new questions about the digital security of toys at a time when big corporations are increasingly marketing dolls and other devices that connect to the Internet and collect data about children. Earlier this month, researchers publicly disclosed security problems with Hello Barbie, a new doll that relies on artificial intelligence and an online connection to carry on conversations with children. ToyTalk, the company Hello Barbie’s voice features, worked with the researchers to help fix “many of the issues they raised” before they were revealed.
The name of the man arrested in connection to the VTech hack was not released, but he was taken into custody in Bracknell, Berkshire, on suspicion of two charges related to a 1990 computer crime law, according to an announcement from the South East Regional Organized Crime Unit. The agency said it also seized a number of “electronic items.” “We are still at the early stages of the investigation and there is still much work to be done,” Craig Jones, head of the agency’s Cyber Crime Unit said in a statement. “Cyber crime is an issue which has no boundaries and affects people on a local, regional and global level.”
Earlier this month, VTech announced it had brought in forensic investigators from security firm FireEye’s Mandiant Incident Response team to help respond to the attack. Nearly half of those affected by the breach were in North America, but VTech’s customers span the globe — as have investigations into the hack and the company’s data protection practices. Attorneys general of Illinois and Connecticut have both opened investigations into the incident. Hong Kong’s privacy commissioner also initiated a “compliance check” to determine if the company took “appropriate steps to safeguard personal data before” before the breach.
In a previous press statement, VTech said it is “cooperating with law enforcement worldwide” and that Mandiant is reviewing how the company handles customer information so it can “further strengthen” the security of that data.