VTech Breach – Lax Security and Weak Crisis Communication

Erik Bernstein data breach Leave a Comment

Missing compassion leaves response lacking

The sheer number of data breaches we see these days has desensitized people to a certain extent, but what happens when children are suddenly thrown into the mix?

Earlier this month, hackers snatched the personal information of nearly 5 million parents who had registered with popular children’s tablet/e-toy company VTech. Compounding the issue is the fact that children’s names and even pictures are often registered with VTech devices as well, and information connected to as many as 200,000 little ones has been exposed along with that of their parents.

Accusations of weak encryption and an overall lack of security are already flying from respected tech outlets like ArsTechnica and Motherboard, which appears to have actually been the one to inform VTech itself of the hack.

VTech shared an initial response via its online newsroom on November 27, followed by an update this morning:

VTech Holdings Limited noted that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on 14 November 2015. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.

Upon discovering the unauthorized access on 24 November 2015, we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.

Our customer database contains user profile information including name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history. In addition the database also stores kids information including name, genders and birthdates. In total about 5 million customer accounts and related kids profiles worldwide are affected.

It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.

In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).

We have reached out to every account holder in the database, via email, to alert them of this data breach and the potential exposure of their account data. The following email enquiry contacts have also been set up:

US: vtechkids@vtechkids.com

Canada: toys@vtechcanada.com

France: explora_park@vtech.com

Germany: downloadmanager@vtech.de

Netherlands: exp@vtech.com

Spain: informacion@vtech.com

UK: consumer_services@vtech.com

Australia and New Zealand: enquiriestoys_aunz@vtech.com

Hong Kong: corporate_mail@vtech.com

Other countries and regions: corporate_mail@vtech.com

Furthermore, as an additional precautionary measure, we have suspended Learning Lodge and the following websites temporarily for thorough security assessment and fortification.














We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future. Our Privacy Statement can be found on our website here. The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech. We will provide further updates as appropriate in the future.

Further details are provided in the FAQ section.

While the response does address the issue at hand, what it utterly fails to address is the emotions of VTech stakeholders. It’s always important to demonstrate understanding and compassion for the mental state of your audience, and doubly so when their children are involved. Given that the breach is actively being dealt with we wouldn’t expect it to turn people away from VTech products en masse, but it will make parents think twice before registering sensitive info like children’s names and the credit cards that allow them to make those ever-profitable in-device purchases.

Leave a Reply