A 21-year-old man has been arrested in the UK in connection with the recent VTech hack.
He hasn’t yet been named.
VTech, headquartered in Hong Kong, makes a range of educational electronic toys, and runs an online store called Learning Lodge, where you can shop for downloads for your VTech products.
The company was breached recently by a hacker who claimed to have stolen the usual sort of data we hear about in this sort of attack – and much more besides.
As well as names, email addresses, scrambled passwords and the home addresses of nearly 5,000,000 parents, the hacker said he’d filched the names, genders and birthdays of 200,000 children, too.
Worse still, he told on-line magazine Motherboard that he’d also acquired thousands of pictures of parents and kids, a year’s worth of chat logs, as well as audio recordings, some of which were of children’s voices.
According to Motherboard:
While probing VTech servers, the hacker found tens of thousands of pictures of parents and kids. Some are blank, or duplicates, so it’s hard to establish exactly how many are legitimate pictures. But the hacker said he was able to download more than 190GB worth of photos, and considering that there were 2.3 million users registered in the Kid Connect service, it’s likely there were tens of thousands, or more, headshots of parents and kids, according to the hacker.
The hacker shared a sample of 3,832 image files with Motherboard for verification purposes, but he also said he doesn’t intend to publish or sell the data.
”Frankly, it makes me sick that I was able to get all this stuff,” the hacker told [us] in an encrypted chat. “VTech should have the book thrown at them.”
For now, however, it looks as though the 21-year-old, from Bracknell, UK (about 50km west of London), is going to have the book thrown at him.
The UK’s South East Regional Organised Crime Unit (SEROCU) reports that his arrest was on charges under the Computer Misuse Act for unauthorised access to VTech’s systems, and unauthorised access to the company’s data.
As Craig Jones, Head of the Cyber Crime Unit at SEROCU, points out:
Cyber crime is an issue which has no boundaries and affects people on a local, regional and global level. I would like to urge everyone to check their home and business computer security and follow the advice available on sites such as cyberstreetwise.com and getsafeonline.org.
Also, don’t forget our popular, family-friendly, series of tips for Advent 2015, which we’ll be running until Christmas.
If you’ve got webcams, internet-enabled toys, online thermostats, or even a connected kettle in your home…
…don’t forget that security matters for all those devices too, not just for your laptop and your mobile phone.
💡 TAKE A LOOK AT OUR ADVENT TIPS – Security advice for you, your friends and family ►
Mahhn
He should have notified them and not downloaded more than proof of concept, or just screen shots to show access, then he “might” have received a reward and not punishment.
Shame on Vtech for not noticing the huge download to one user, besides leaving holes.
If he was honest about: “he doesn’t intend to publish or sell the data.” hopefully they will consider that, and get him into a positive roll and not push him to – The Dark Side.