Hong Kong toy maker VTech braces for possible litigation in US after 6 million children’s accounts leaked in recent hack

Nearly half of hacked accounts in city’s biggest cybersecurity breach in at least five years belonged to kids in America.

PUBLISHED : Wednesday, 02 December, 2015, 9:11pm
UPDATED : Wednesday, 02 December, 2015, 9:15pm

Educational toy maker VTech is expected to face intense legal scrutiny in the United States as more than six million children’s profiles, including nearly half from that country, were exposed by last month’s cybersecurity breach at the Hong Kong-based company.

“VTech will most likely be subject to a number of class-action lawsuits in the US on behalf of parents who fear the damage they will suffer as a result of the data breach,” Paul Haswell, a partner at technology-focused international law firm Pinsent Masons, told the South China Morning Post.

In an updated post on its website on Wednesday, VTech said there were a total of 4.8 million parent accounts and 6.4 million related children’s profiles affected by the hack of its Learning Lodge app store customer database and Kid Connect servers.

READ MORE: ‘This is a wake-up call for Hong Kong’: VTech data hack reveals cybersecurity not taken seriously by local businesses

Also affected were 235,708 accounts belonging to parents and 227,705 children’s accounts at the company’s Planet VTech online games platform.

The company had earlier reported that the profiles of more than 200,000 children were hacked on November 14 from its Learning Lodge website, where children download apps and electronic books.

“Regretfully, our database was not as secure as it should have been,” VTech said.

“Upon discovering the breach, we immediately conducted a comprehensive check and have taken thorough actions against future attacks.”

This massive hack on VTech marks the biggest corporate cybersecurity breach in Hong Kong since 2011. It also ranks as the largest known targeted hack on children’s data worldwide.

“VTech may now be subject to liability in every country where it has collected user data,” Haswell said.

“No doubt VTech will seek to settle such claims as quickly as possible, but that may not save the company from the damage its reputation has suffered.”

Of the total number of children’s profiles exposed by the hack, 2.9 million were from the US and 1.2 million from France.

Other countries with affected customers included Britain, Germany, Canada, Spain, Belgium, the Netherlands, Denmark, Australia and New Zealand.

A VTech representative said the number of those affected in Hong Kong was “very small”, so the company lumped that into “others” in its breakdown.

“The most upsetting part of this incident for the parents will be knowing that their children’s data is out there forever,” said Michael Gazeley, managing director at Hong Kong-based security services provider Network Box.

“Nothing is going to bring it back.”

Hong Kong’s privacy commissioner Stephen Wong Kai-yi on Tuesday said an investigation has been launched into VTech’s system of collecting personal data and the safeguards used to protect that information.

The attorneys-general of the US states of Connecticut and Illinois said on Monday that they plan to conduct their own probe into the VTech data breach

“All US states will be under pressure from parents to take action, particularly given the great sensitivity of the information stolen: Account details, names, dates of birth and even profile pictures,” Haswell said.

“It is now almost impossible to predict the scale of liability that VTech could be subject to.”

In August, US retail chain Target agreed to pay US$67 million to settle claims related to a data breach in 2013 that compromised 40 million credit and debit cards.

Sony in October settled a class-action lawsuit over hacked employee data by paying up to US$8 million.