‘This is a wake-up call for Hong Kong’: VTech data hack reveals cybersecurity not taken seriously by local businesses

Pundits urge local companies to step up their defences in wake of hacking of children’s learning products maker, one of the most scandalous corporate data breaches in the city in recent years.

PUBLISHED : Tuesday, 01 December, 2015, 7:56pm
UPDATED : Wednesday, 02 December, 2015, 4:53pm

A beguiling indifference to cybersecurity in Hong Kong may be to blame for the large-scale hacking of customers’ accounts at children’s learning products maker VTech, which marks the biggest and potentially most scandalous corporate data breach in the city since 2011.

In a swift response, Hong Kong’s privacy commissioner Stephen Wong Kai-yi said Tuesday an investigation has been launched to look into VTech’s system of collecting personal data and the safeguards used to protect that information.

He also warned people, especially children and teenagers in the city, to be wary of privacy breaches arising from websites and mobile apps that collect large quantities of personal data from them.

VTech said in a Hong Kong stock exchange filing that about five million customer accounts, including the profiles of more than 200,000 children, were broken into from its Learning Lodge app store database on November 14. The company said it discovered the breach on Tuesday of last week.

The ransacked digital information included customers’ names, email addresses, passwords and download history, as well the names, gender and birth dates of children who used the Learning Lodge site to get apps, games and electronic books.

VTech, however, “left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents”, according to a new report by online magazine Motherboard based on its interview with the unidentified hacker.

The report said the hacker, who shared a sample of 3,832 image files with the online publication for verification, did not intend to publish or sell the data he obtained from VTech.

VTech has not responded to the South China Morning Post’s inquiries about the number of affected Hong Kong customers, as well as the reported children’s pictures and chat files.

“Under the restrictions of the law, we cannot disclose details of an ongoing investigation, but since it involves a lot of sensitive data, the case is of a serious nature and we are looking into it,” said the privacy commissioner.

Experts described the massive hacking at VTech, also known as the world’s largest maker of cordless telephones, as a big blow to Hong Kong’s longstanding efforts to protect personal data.

Companies in the city have been accused of not taking the issue seriously enough in the past. Even universities have been warned of stepped-up attacks in the wake of last year’s Occupy Central pro-democracy protests.

Lawmaker Charles Mok said many Hong Kong companies “still do not know how to comply with data privacy regulations in Hong Kong”, which came into force back in 1996.

Paul Haswell, a partner at law firm Pinsent Masons, said he hoped that the VTech incident would lead to an amendment of existing data privacy laws so that stiffer penalties can be slapped on those who fail to comply.

“This is a wake-up call for Hong Kong: The first high-profile data breach suffered by a Hong Kong company that is likely to have worldwide ramifications,” Haswell said.

The attorneys-general in the US states of Connecticut and Illinois have also announced plans to conduct their own probe into the VTech security breach, a Reuters report said.

Michael Gazeley, the managing director at security services provider Network Box, said most Hong Kong firms do not take cybersecurity risks seriously enough.

“The current level of denial within organisations about the need for effective cybersecurity would make an ostrich proud,” Gazeley said.

“It’s 2015, not 1985. Organisations cannot stick their heads in the sand.”

The last major cybersecurity incident in the city happened in 2011, when hackers from overseas crashed the Hong Kong stock exchange regulatory disclosure website. That forced the suspension in trading of large blue-chip companies, including HSBC and Cathay Pacific Airways.