VTech Hack Exposes 6.4 Million Children’s Profiles

Electronic toymaker VTech said Tuesday that the hacker or hackers who infiltrated the company’s computer systems gained access to data from nearly 6.4 million profiles belonging to children.

The Hong Kong-based firm said the security breach was discovered on Nov. 24, more than a week after it occurred. Hackers were able to access email addresses, passwords, mailing addresses and more, as well as the names and birth dates of some children who used VTech’s toys and tablet computers.

VTech: Hackers may have stolen info, kids photos, from 5 million customers 0:26

Overall, nearly 4.9 million parent accounts were compromised, which were connected to 6.37 million related children’s profiles, VTech revealed on Tuesday. The largest number of accounts accessed were created in the U.S. (more than 2.2 million), followed by France (868,650) and the U.K. (560,487).

Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) announced it was commencing a “compliance check” on Tuesday to determine if VTech had done enough to safeguard its data before the attack and was taking steps to bolster security after.

“VTech indicated that they would notify the PCPD formally about this data leakage incident which involved data of 5 million customers accounts and related kids profiles worldwide,” Stephen Wong, the PCPD’s privacy commissioner for personal data, said Tuesday in a statement.

Punishment for non-compliance can include a fine of more than $6,000 and two years in jail under law in Hong Kong. The stakes are higher for the person who stole the data. If found guilty of causing “psychological harm” to users, the hacker could face a fine of nearly $130,000 and five years in jail.

VTech said that no credit card information was stolen in the breach. VTech said Tuesday in a FAQ that it could not confirm a Motherboard report that the hacker obtained children’s photos as well as audio and chat logs from VTech’s Kid Connect messaging service, because its “investigation is ongoing.”

The company did say that audio files and photos shared on Kid Connect are protected by AES128 encryption, while the chat logs are not.

Tips for Protecting your Information

We would like to remind you of the value of taking good security precautions. It is a good idea to develop strong and secure online passwords and to change them frequently. Below are a few tips for good password practices.

• Include numbers, symbols and letters.
• Use a combination of capital and lowercase letters.
• Do not use the same password across multiple sites.
• Do not store important passwords, such as your home banking password, in your email account.
• Monitor your accounts regularly for suspicious activity.

Report Suspicious E-mails

Internet scams are nothing new, and as more of us conduct our business online, we’re also becoming more business savvy in spotting suspicious e-mails. Unfortunately, the Internet scammers are becoming more sophisticated in their tactics, for example, creating fake websites which appear to be legitimate, but are actually designed to lure unsuspecting users into providing confidential information.

How the “PHISHERS” Lure You

Phishing (pronounced “Fishing”) is an online fraud technique used by criminals to entice you into to disclosing your personal information. One of the most common – and successful – techniques is to send you fake messages that mimic valid messages or websites from a company you trust, such as your financial institution, a credit card company, government agency, or online shopping site. The logos and the links all look correct.

Asking For Personal Information

Usually, the messages open by reporting a problem with your account, and will ask you to verify the following information:

• Name and online user name
• Address and phone number
• Social Security Number
• Account password or PIN
• Account number
• ATM/debit or credit card number
• Credit card validation code, (CVC). This is the code credit card companies use to authorize credit charges. American Express uses a 4-digit CVC number which appears on the front of your card, while Visa, MasterCard and Discover all use a three-digit number that is on the back.

Providing any of this information is the online equivalent of giving criminals the keys to your house. They can empty your financial accounts, run up charges on your credit cards or open fraudulent credit card accounts in your name. And it can take years to repair the damage to your financial integrity.

Suspicion = Protection

Be suspicious of e-mails that ask for personal information, and be alert to other common scams such as foreign lotteries, requests to transfer funds from overseas bank accounts and work-from-home opportunities.

• Delete any e-mail you don’t trust – even opening a “phishing” e-mail can plant a virus or spyware on your PC.
• Never send confidential information by e-mail. If you think you have been scammed and your confidential information compromised, contact your credit card companies and financial institutions immediately. Report it to the Federal Trade Commission . And contact all three credit reporting bureaus to have alerts placed on your credit reports.

• Equifax: equifax.com | 888.766.0008
• Experian: experian.com | 888.397.3742
• TransUnion: transunion.com | 888.909.8872

Remember, neither Motion nor any legitimate business will ever send you an e-mail asking for personal information. If you receive an e-mail that you’re suspicious of, don’t respond to it.

10 Ways to Protect Against Debit Card Fraud

1. Update your contact information with your financial institution. Your Credit Union can’t ask you about a suspicious charge unless it has your current phone number.

2. Copy the customer service phone number from the back of each of your debit or credit cards and keep this list in a separate location from your purse or wallet in case a thief steals the latter.

3. Let your financial institution and card issuers know your travel dates and destination. If your card gets swiped at an unusual location, the card issuer may decline the suspicious transaction.

4. Look out for ATMs that appear to be dirty or in disrepair. A fake machine may be set up to capture your card information.

5. Do not use ATMs with unusual signage, such as a command to enter your PIN twice to complete a transaction.

6. Watch out for ATMs that appear to have been altered. If anything on the front of the machine looks crooked, loose or damaged, it could be a sign that someone attached a skimming device.

7. Avoid using the ATM if suspicious individuals are standing nearby. Criminals may try to distract you as you use the machine to steal your cash, or watch as you type in your PIN.

8. Be aware that if your card gets stuck in the machine and someone approaches to help, it may be a scam. A criminal may be trying to watch as you enter your PIN code.

9. If your card gets stuck in the machine, call your financial institution promptly to report the incident.

10. As you key in your PIN, cover the keypad with your other hand to block anyone, or a camera, from viewing the numbers you type.

Important Note: Remember to check your balance on a regular basis. Federal law doesn’t protect debit cards to the same degree as credit cards when it comes to fraud. If you notify the bank within two days of discovering the card was lost or stolen, your loss is limited to $50. After two days, this amount jumps to $500, and after 60 days of receiving the statement with the fraudulent charges, your loss may be unlimited.

You can download a PDF of these 10 tips here.