21 year old arrested for VTech hack

The UK South East Regional Organised Crime Unit (SEROCU) said on Tuesday that it has arrested a 21 year old man in connection with the hack on the Hong Kong company VTech.

The man was held on suspicion of “unauthorised access to computer to facilitate the commission of an offence” and of “causing a computer to perform a function to secure/enable unauthorised access to a program/data”.

VTech, a company that specialises in children’s hi-tech learning aides such as toy laptops and games, was subject to an SQL injection attack on its ‘Learning Lodge’ database. The Database contained not only general user profile information including names, email addresses, but also weakly encrypted passwords, secret questions and answers for password retrieval in clear text, and download histories. There was also the possibility to connect the details of children, such as their date of birth, gender etc, to their parents accounts, thereby revealing their address.

Following the hack, VTech was quick to reassure customers that the database breach did not reveal any credit card information as VTech does not process or store customer credit card data on the Learning Lodge website, or hold personal ID.

Although the cyber criminal gang did not manage to get hold of credit card or confidential financial information, it did cause VTech huge embarrassment and untold commercial and reputational damage by revealing customers’ personal details – especially those of kids. Consequently, Craig Jones, head of the cyber crime unit at Serocu, said: “Cyber criminality is affecting more and more businesses around the world and we continue to work with our partners to thoroughly investigate often very complex cases.

“We are still at the early stages of the investigation and there is still much work to be done. We will continue to work closely with our partners to identify those who commit offences and hold them to account.”

Image source: Shutterstock/GlebStock