Half a million UK families at risk as hackers target toy firm
THE names, addresses and personal details of nearly 500,000 British families and their children have been obtained by hackers in a cyberattack on an electronic toy firm’s website, it was revealed last night.
Toy giant Vtech admitted that a database of names and addresses holding up to five million accounts worldwide had been breached. The website is used for downloading children’s games, books and other educational content.
It is not known whether any of the details could be used to contact children directly while playing the games, but IT experts described the information as a ‘goldmine for fraudsters’.
Vtech, which sells children’s tablets, electronic learning toys and baby monitors, announced the attack in a statement on its website but did not reveal how many records were stolen.
The breach occurred two weeks ago, on November 14, yet the firm claimed they only learned about it on November 23 from an internet journalist who had been in contact with the hackers.
The compromised information includes names, email addresses, passwords and home addresses of parents, as well as first names, genders and dates of birth of children.
A large amount of data, which looked like it could be from the hack, was seen online but has now been hidden, according to experts. It appeared to include a considerable number of children’s names, dates of birth and their gender.
Australian web specialist Troy Hunt told the MoS he had seen 490,375 accounts from the UK.
In an email to customers, Vtech said: ‘Upon discovering the unauthorised access we immediately conducted a thorough investiga- tion, which involved a comprehensive check of the affected site and implementation of measures to defend against further attacks.’
The company stressed it was ‘important to note that our customer database does not contain any credit card or banking information’.
However it does have what Vtech calls ‘general user-profile information’, such as ‘name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history’.
Andy Norton from data security experts FireEye said: ‘Because this involves children it’s very emotive, and that can be an advantage to scammers. I’m not sure this information could be of use to paedophiles, but if that somehow turned out to be the case, it would of course be absolutely catastrophic.
‘But quite apart from that, this is the kind of data which could be a goldmine to fraudsters who are trying to gain your confidence.
‘Imagine if someone phoned you up and told you your child’s name, age and address and said he’d fallen over at school and they needed some kind of payment right now for emergency dental treatment to save his teeth.
‘It wouldn’t always work, but it’s a fair bet that some people would fall for something like that.’
He said the type of hack involved appeared to be a ‘fairly common’ method, which can be protected against quite routinely if a risk assessment classes it as necessary.
No spokesman for Hong Kongbased Vtech was available last night to comment.