Cloud Computing, Internet Datacenters and Big Data Business Intelligence from China


VTech Data Breach Highlights IoT Failings

VTech Holdings Limited, the Hong Kong maker of baby monitors and electronic toys, announced that its customer database was hacked two weeks ago.

The company says an unauthorized party accessed VTech customer data housed in its Learning Lodge app store database on November 14, 2015. Learning Lodge gives its customers the ability to download apps, learning games, e-books and other educational content to their VTech products.

Upon discovering the unauthorized access, VTech claims it immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks. The company says its customer database contains general user profile information including names; email addresses; encrypted passwords; secret questions and answers for password retrieval; IP addresses; mailing addresses; and download histories.

In the company's statement on the incident, it says: "It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway. In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers)."

This is where the company's reaction is a bit obtuse. The company is hoping to make good waves in public sentiment by stating that no payment information or personal I.D. data was present in the heist. While that technically may be true, a brute force hacker or semi-intelligent cracker could use the combination of customer mailing addresses, answers to secret questions, and IP addresses to correlate lots of information that render a credit card or I.D. unneeded.

For example, an attacker can correlate on the information to readily-available credit information sold on the Dark Web, and then apply for new credit cards with the address, name, and secret answer data.

Hong Kong's common law has a data privacy ordinance as well as dozens of past cases that could put the company in jeopardy. The Hong Kong government takes data privacy very seriously, and VTech should face fines and possible other civil or criminal penalties for failing to secure customer data.

Most importantly, this highlights the failings for many Internet of Things companies on the security front. Companies concentrate on developing usable devices that connect to the Internet, but secure methods of information transmission or information storage are forgotten or ignored. Especially in Hong Kong, which lacks a large community of technologists, these failings are all too common.

Be the first to comment on "VTech Data Breach Highlights IoT Failings"

Leave a comment

Your email address will not be published.


*




  Other China News

ChinaTechNews.com:

Nokia Phone Returns To China Via Exclusive JD.com Sales Channel

Artificial Intelligence Experts Join Sinovation Ventures

Apple's Struggles Drop Foxconn's Revenue 2.81% In 2016

Artificial Intelligence Guru Finds Search Engine Baidu


GreenChinaTech:

Chinese Electric Bus Manufacturer Lands USA Deal

American Electric Car Manufacturer To Build In China

U.S. Clean Water Company Makes Chinese Inroads

GE Will Promote Wind Power Through New Chinese Education Center


ChinaSourcingNews.com:

JD To Build Global Logistics Headquarters In Xi'an

Wumart, AGS Sign Agreement For Seafood Direct Procurement

India Gains Second Factory From China's Xiaomi

85% of Indian Staff To Lose Jobs At China's LeEco