VTech’s hacking and a Hong Kong culture which pays little attention to IT security
VTech Holdings Ltd. became computing history’s biggest ever database hack targeting children when the confidential information of 6.4 million children and 4.9 million adults were stolen.
The personal information stolen, which was not encrypted, included names, passwords, secret questions and answers for password retrieval, IP addresses, postal addresses, download histories and children’s names, genders and birth dates according to VTech. It appears that VTech’s I.T. managers failed to implement even basic encryption practices on their data.
The crime attracted global attention partly because about half of the accounts hacked were based in North America, which represents VTech’s biggest market, comprising nearly half of its US$928 million in revenue for the six months ended in September.
VTech’s Chairman and CEO Allan Wong said it is too early to put a figure on the financial impact, but he has not dealt with the disastrous impact on VTech’s brand. It may be finished unless he can decisively communicate beyond bland corporate speak and assure the market and ultimately parents that his products are safe.
Branding represents the trust between the company and its consumers. Its compromise is more destructive and pernicious than financial losses. VTech is about to find this out the hard way.
The problem with Hong Kong firms like VTech, where their roots started in low margin, contract manufacturing services, is that they can’t escape the mentality of an import-export, low cost trading culture.
This encourages shortsighted strategies such as being too cheap to invest in effective information technology security functions. For many of these local firms their idea of an I.T. department is a guy who updates desktop operating systems.
However, as more personal and corporate data are transferred and shared, companies like VTech have become more vulnerable to breaches than they imagine. VTech managers must understand that it is not a toy maker or an educational device manufacturer.
It’s a knowledge company- the hardware is only an incidental platform for utilising data. So data security should be a core competency and an important investment rather than a frivolous expense.
Just as philanderers were shaken by the breach of Ashley Madison’s database of cheaters, families will now no longer be so naïve about the actual risks of childrens’ education products.
This cyber attack has evolved into a public relations and branding debacle. Investors and parents will be watching for how much the company intends to spend on a credible information security framework and department.
Hong Kong companies have a reputation of being careless about data protection. And they are notoriously cheap spenders on data security if you ask local service providers.
Part of the reason is Hong Kong corporate culture. Expenditures on research and development are one of the lowest levels in the region.
According to the Commerce and Economic Development Bureau, investment in research and development only accounts for about 0.7 per cent of Hong Kong’s gross domestic product. This is far behind South Korea (3.6 per cent), Singapore (2.6 per cent), Taiwan (2.3 per cent) and the mainland (2 per cent). It’s a reflection of the city’s economy and dominant industries. Little research or IT capabilities are required if your business is stamping out concrete flats for incredible profits.
A look around Hong Kong company sites shows how backward and underdeveloped they are in terms of design and engagement compared to western companies. They don’t encourage trust in their ability to protect confidential data in today’s challenging environment.
ASM Pacific Technology is listed in Hong Kong and the world’s largest assembly and packaging equipment supplier for the semiconductor and light emitting diode (LED) industries. But, you would not believe it if you visited their website (asmpacific.com). Its content is incomprehensible and its crude design reminds you of a website built by teenagers in the 1990s.
Like many local companies, it probably doesn’t see any value in communicating a sophisticated message on its website like its American counterparts. In today’s internet and media markets, poor content presentation and clumsily designed websites breed distrust, doubt and a lack of professionalism.
VTech will eventually settle its legal problems from this hack. But Chairman and CEO Allan Wong has to wrestle with far more worrisome problems than near term financial losses. The crippling and perhaps permanent impairment of the VTech brand is its gravest threat.