Skip to main content
  1. Home
  2. Web
  3. News

Man arrested in UK over suspicion of involvement in VTech attack

Kris Wouk
By

vtech disclaimer of responsibility for data breach losses tablet app android inno tab max
Image used with permission by copyright holder
Security breaches are increasingly common, but last month parents paid special attention to one in particular as VTech, supplier of educational gadgets for children among other products, suffered a breach in its Learning Lodge app store.

Though the breach took place on November 14, the company only learned of the intrusion 10 days later. Details were scarce at the time, but earlier this month the company revealed that close to 5 million customer accounts and more than 6 million child profiles were affected by the intrusion. Accounts and profiles around the world were affected, including customers in Europe, North America, and Asia.

Recommended Videos

Now the first arrest in relation to the breach has been made, as U.K. authorities have arrested a 21-year-old man in Berkshire. The man, whose identity has not been revealed, is being held on suspicion of “unauthorized access” to a computer, according to the South East Regional Organised Crime Unit (SEROCU).

Related

“We are still at the early stages of the investigation and there is still much work to be done,” SEROCU cybercrime head Craig Jones said. “Cybercrime is an issue which has no boundaries and affects people on a local, regional, and global level”

Some data obtained in the breach is believed to have been posted online, albeit briefly, the BBC reports. Some of the information confirmed to reside in the database includes names, passwords, IP addresses, and information about children, including names, ages, and genders. No credit card data was stored in the database that was breached.

For the time being, VTech has temporarily shut down its Kid Connect app, which allowed the attacker to gain access to photos. The company has also advised customers to change their login credentials, including their password retrieval information.

SEROCU says that the investigation is still in the early stages, so it’s possible if not likely that we’ll see more arrests related to the attack.

Editors' Recommendations

Topics
Kris Wouk
Kris Wouk
Former Digital Trends Contributor
Kris Wouk is a tech writer, gadget reviewer, blogger, and whatever it's called when someone makes videos for the web. In his…
OnePlus customer data stolen in second data breach in two years
oneplus 7t macro lens iphone 11 lacks cameras

Phone company OnePlus has suffered another data breach, with an undisclosed number of customer names, contact numbers, email addresses, and shipping addresses stolen by an unnamed hacker or group.

This comes less than two years after up to 40,000 customers' private information was stolen from OnePlus, leading to credit card fraud using customers' details. In this case, the breach only came to light when the issue of credit card fraud was raised by a user on the OnePlus forums. An investigation subsequently discovered a malicious script had been gobbling up customer credit card details when they were entered into the OnePlus website.

Read more
Lawsuit alleges Equifax’s stupid password made it super-easy to steal your data
cfpb investigation equifax hack headquarters

Remember that epic Equifax hack from 2017? As it turns out, the company made it pretty easy for hackers to get in. A recent filing in the United States District Court for the Northern District of Georgia, Atlanta Division points out a few of the company’s missteps that might have led to the breach.
The first of those issues comes in the form of the password the company users to protect a portal used to manage credit disputes. While you might think a major company holding personal information like people’s names, addresses, and social security numbers might use an exceptionally secure password in that instance, it actually went for something a different: It used “admin” as both the username and password for the portal.
Not exactly the most secure move.
If the shoddy password wasn’t enough, the company also stored unencrypted user information on a public-facing server. That meant that any attacker that compromised the website’s server would immediately have access to all the personal information stored on it, with no additional work required.
The website also wasn’t the only thing it left unencrypted. The company also failed to encrypt its mobile applications, so not only was it keeping sensitive data unencrypted on its own server, it was transmitting that data unencrypted over the internet.
When it did finally encrypt that data, it “left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”
The court filing suggests that the inadequacies in Equifax’s encryption protocol fell short of industry standards and data security laws, going as far to say that the company “did not know what they were doing with respect to data security.”
The hack on Equifax in 2017 reportedly impacted approximately 147 million people, exposing their personal information and social security numbers.
As part of a settlement from the incident, Equifax is paying more than $300 million toward credit monitoring services for the impacted customers. It’s also compensating customers who paid out-of-pocket expenses as a result of the breach.
If you were impacted, you can apply to receive credit monitoring services or a $125 settlement via Equifax’s site now.

Read more
Doordash data breach affects 4.9 million people, divulges physical addresses
DoorDash breach | Doordash app on a phone

Doordash is the latest tech company to suffer a major data breach. The company has announced that an unauthorized third party was able to gain access to Doordash user data on May 9, 2019, in a breach that affected a hefty 4.9 million users, delivery drivers, and merchants. According to the company, users who joined after April 5, 2018, were not affected by the breach.

"We take the security of our community very seriously. Earlier this [year], we became aware of unusual activity involving a third-party service provider," said the company in a blog post. "We immediately launched an investigation and outside security experts were engaged to assess what occurred."

Read more