by Clare HoppingNEWS, itpro.co.uk,
1st December 2015
The company's Learning Lodge app and content portal was hacked in the fourth biggest consumer data breach in history
Toy maker Vtech has revealed its app store database has been hacked, exposing details of 4.8m customers, including 200,000 children, making it one of the biggest consumer data breach ever.
Louise Bulman, VP EMEA at Vormetric commented: "VTech has joined the increasingly long line of organisations facing a rather bleak end to 2015, as it becomes the latest to suffer a high-profile data breach. What’s most concerning here is the nature of the information stolen – that which relates to children – and the varying reports over the level of encryption around the compromised data."
Vtech's Learning Lodge is a gateway for children and adults to download a variety of content including games and e-books onto their devices, such as first computers and tablets.
The toy maker said the breach happened on 14 November, but was not detected until 10 days later. It added it was not sure what data, if any, had been stolen, but said the database does hold information including names, email addresses, encrypted passwords, secret question and answers for password retrieval, IP addresses, mailing addresses and download history.
Vtech reassured customers it does not contain any credit card details or personal identification information such as ID card numbers, social security numbers or driving licence details.
Those who use the app store said they were alerted to the data breach via an email from the company.
"Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against further attacks," Vtech said in the customer alert email.
The company has disabled the Learning Lodge website, which displayed the message: "Due to a breach of security on our Learning Lodge website, we have temporarily suspended the site...We apologise for any inconvenience caused."
"The investigation continues as we look at additional ways to strengthen our Learning Lodge database security. We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future," the company added in a statement.
Bulman added that companies should not limit what they encrypt on their servers to just payment information, but it should encompass all details relating to customers.
"The Vtech breach highlights yet again that organisations should be focussing on making sure sensitive data remains protected when (not if) it falls into the wrong hands – and encryption is critical to achieving this. In the past, encryption was deployed to protect only what businesses were forced to protect by compliance requirements.
By ensuring everything is safeguarded from hackers, companies can have the upper hand against criminals and ensure not only their sensitive company-related information is protected, but also their customers can be safe in the knowledge their information is secure too.
"This in turn reduces the damage that hackers can cause, as encryption renders stolen data illegible and virtually useless to them. These days, failing to encrypt data is akin to locking the front door of your home in order to feel secure, but leaving the back door wide open," she said.