Hacking of Hong Kong’s VTech may prove worst cybersecurity breach of 2015 in Asia

Attack exposed over 6 million children’s profiles at the educational toy maker

PUBLISHED : Thursday, 10 December, 2015, 8:34pm
UPDATED : Thursday, 10 December, 2015, 8:34pm

The massive hacking of customer accounts at Hong Kong-based educational toy maker VTech, which left more than six million children’s profiles exposed, may have been the worst cybersecurity breach in the Asia-Pacific this year.

“If we made a top-five list today, VTech would place first on the list for the Asia-Pacific based on the reported number of accounts affected,” Forrester Research senior analyst Heidi Shey said.

The VTech incident last month compromised 4.8 million parent accounts and 6.4 million related children’s profiles on the company’s Learning Lodge app store customer database and Kid Connect servers.

Also affected were 235,708 parent and 227,705 children accounts at the company’s Planet VTech online games platform.

READ MORE: VTech hack in Hong Kong sees industry experts urge firms to lean more on big data to boost cybersecurity

That was worse than the data breach at Japanese online shopping mall operator Rakuten in April, when the identification and passwords of about five million customers were stolen.

A recently published Forrester report showed the Rakuten incident was listed as the top corporate data breach in the Asia-Pacific over the past 12 months. Details of the VTech hack were only released last week.

VTech chairman Allan Wong Chi-yun said he blames an “orchestrated and sophisticated attack on our network” for the incident, which ranks as the largest known targeted hack on children’s data worldwide.

Hong Kong’s privacy commissioner Stephen Wong Kai-yi last week said an investigation had been launched into VTech’s system of collecting personal data and the safeguards used to protect that information.

The company said it was cooperating with law enforcement worldwide to investigate the incident, and has hired US cyber forensic firm Mandiant to help in that effort.

Companies in mainland China and Hong Kong are forecast to remain under siege from growing cyberattacks as the number of data breaches in those two markets escalated this year.

The average number of detected cybersecurity incidents on the mainland and the city increased 417 per cent to 1,245, up from 241 last year, according to a new survey by global professional services firm PwC.

READ MORE: ‘This is a wake-up call for Hong Kong’: VTech data hack reveals cybersecurity not taken seriously by local businesses

“Today, we are witnessing attacks from all angles, but the industries facing the most impact include consumer, retail and technology,” Kenneth Wong, PwC China and Hong Kong’s cybersecurity leader, said on Thursday.

Customer data, internal records and intellectual property were the most targeted data in detected cyberattacks in mainland China and Hong Kong, according to the PwC survey.

Respondents reported a 64 per cent rise in security incidents that compromised customer records, much steeper than the global average increase of 35 per cent.

The average total financial loss due to cybercrime for companies on the mainland and Hong Kong was up 10 per cent to US$2.63 million, compared with US$2.4 million in the survey last year.

Wong pointed out that the numbers from its survey will likely be conservative because many companies rarely publicise cybersecurity incidents in their operations.

Respondents also said current and former employees were the source of half of all the detected data breaches security in the survey.