VTech Holdings Limited, the Hong Kong maker of baby monitors and electronic toys, announced that its customer database was hacked two weeks ago.
The company says an unauthorized party accessed VTech customer data housed in its Learning Lodge app store database on November 14, 2015. Learning Lodge gives its customers the ability to download apps, learning games, e-books and other educational content to their VTech products.
Upon discovering the unauthorized access, VTech claims it immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks. The company says its customer database contains general user profile information including names; email addresses; encrypted passwords; secret questions and answers for password retrieval; IP addresses; mailing addresses; and download histories.
In the company's statement on the incident, it says: "It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway. In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers)."
This is where the company's reaction is a bit obtuse. The company is hoping to make good waves in public sentiment by stating that no payment information or personal I.D. data was present in the heist. While that technically may be true, a brute force hacker or semi-intelligent cracker could use the combination of customer mailing addresses, answers to secret questions, and IP addresses to correlate lots of information that render a credit card or I.D. unneeded.
For example, an attacker can correlate on the information to readily-available credit information sold on the Dark Web, and then apply for new credit cards with the address, name, and secret answer data.
Hong Kong's common law has a data privacy ordinance as well as dozens of past cases that could put the company in jeopardy. The Hong Kong government takes data privacy very seriously, and VTech should face fines and possible other civil or criminal penalties for failing to secure customer data.
Most importantly, this highlights the failings for many Internet of Things companies on the security front. Companies concentrate on developing usable devices that connect to the Internet, but secure methods of information transmission or information storage are forgotten or ignored. Especially in Hong Kong, which lacks a large community of technologists, these failings are all too common.