Police arrest 21-year-old British man over VTech attack

News by Tom Reeve

A 21-year-old man from Bracknell, UK has been arrested in connection with the hacking of the toymaker, VTech.

A 21-year-old man from Bracknell, UK has been arrested in connection with the hacking of the toymaker, VTech.

VTech announced last month that its Learning Lodge app store database had been breached, triggering an internal investigation and a report to law enforcement authorities. Personal details of 6.4 million children and 4.9 million adults were lost in the attack.

Officers from the South East Regional Organised Crime Unit (SEROCU) arrested the man this morning on suspicion of unauthorised access to computer to facilitate the commission of an offence, contrary to section 2 of the Computer Misuse Act 1990 and suspicion of causing a computer to perform function to secure/enable unauthorised access to a program/data, contrary to section 1 of the Computer Misuse Act 1990.

A number of electronic items were seized to be examined by SEROCU's Cyber Crime eForensics Unit.

Craig Jones, head of the cyber crime unit at SEROCU, said: “Cyber criminality is affecting more and more business around the world and we continue to work with our partners to thoroughly investigate, often very complex cases.

“We are still at the early stages of the investigation and there is still much work to be done. We will continue to work closely with our partners to identify those who commit offences and hold them to account.”

At the time of the breach, VTech was keen to point out that no financial information was taken, but Javvad Malik, a security advocate at security company AlienVault  told SCMagazineUK.com that the loss of children's personal information was the more pressing issue:  “Compared to adult identity theft, the danger with a child's identity being stolen is that they may not be aware of it until they are old enough to apply for a bank account, credit card, driving licence, mortgage or job. So technically, someone could steal a child's identity and use that information until the child is 18 years old – by which time their credit rating or other personal records may be damaged beyond repair.”

Troy Hunt, an Australian security researcher who got the first look at the stolen information, told SC the breach revealed VTech as employing poor practice when it came to security, saying the company used technology that was “very old with most of the technology dating back half a decade or more”.

Hunt added, “Unfortunately they just didn't maintain the systems as technology evolved and new threats emerged.”

Idan Tendler, a veteran of the Israel Defence Force's signals intelligence unit and CEO of Fortscale, had similarly harsh words for VTech:  “While there really is no excuse for any company to suffer from a lack of security, those that cater especially to kids should employ every available safeguard to ensure that these children are safe.”

Yet more vulnerabilities were exposed in VTech products earlier this month when cyber-security consultancy, Pen Test Partners, showed that certain products were based on weak, easily crackable technology.

No one from VTech was unavailable for comment today. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews