U.S. states probe VTech hack, experts warn of more attacks

Attorneys general in the U.S. states of Connecticut and Illinois said on Monday that they would probe the breaches, though their representatives declined comment on the focus of their inquiries.

The Hong Kong-based toymaker disclosed the attack on Friday, saying information about nearly 5 million adults and children had been stolen in an attack on a portal used to download games to its computer tablets.

Hong Kong Privacy Commissioner for Personal Data Stephen Wong said his office had initiated a "compliance check" on VTech to see if the company had followed data privacy principles.

Technology news site Motherboard reported on Friday that the data belonging to some 4.8 million adults and more than 200,000 children. VTech did not break out the number of children affected.

Motherboard reported on Monday that the hackers also stole photos and chat logs from VTech's Kid Connect service, which allows adults to use their smartphones to chat with kids using VTech tablet. (bit.ly/1XCLIjU)

VTech did not respond to requests for comment on the state probes or the Motherboard reports, which Reuters could not independently verify. Hong Kong's Cyber Security and Technology Crime Bureau said it did not receive any report from VTech.

Privacy Commissioner Wong also said there is not yet "adequate or sufficient information" to say whether children had specifically been targeted in the VTech hack.

Meanwhile, some experts said that they expect to see more breaches involving information collected through digital toys and other web-connected devices, a category of products known in tech circles as the Internet of Things, or IoT.

They said that manufacturers in many industries lack the security experience and expertise that the computer industry has developed over the surge in Internet use over the past two decades.

"You have all these devices and services that are connecting to the Internet by companies that don’t have the experience that older software companies do in securing their data," said Katie Moussouris, chief policy officer with HackerOne, a "bug bountgy" firm that helps businesses work with researchers to find cyber bugs.

"VTech is a toymaker and I don't expect them to be security superstars. They are amateurs in the field of security," said Tod Beardsley, security research manager with Rapid7 Inc.

Toy manufacturers lack rigor in secure software development, said Chris Eng, vice president of research at security software maker Veracode. They are "inevitably going to fall short on security,” he said.

Larry Salibra, chief executive of bug-testing platform provider Pay4Bugs, said that it looks like VTech failed to properly secure sensitive data by encrypting it to be difficult to unscramble and useless if stolen.

Motherboard said it spoke to a hacker who claimed to be behind the attack and said he planned to do "nothing" with the data.

VTech said the breached database included names, email addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses, download histories and children's names, genders and birth dates.

The company said the database did not include credit card information, ID card numbers, Social Security numbers or drivers licence numbers.

VTech shares were trading down 0.17 percent in early afternoon at HK$86.75 and are down more than 20 percent this year.

(Reporting by Jim Finkle, Clare Baldwin; Additional reporting by Donny Kwok, Anne Marie Roantree and Yimou Lee; Editing by Bill Tarrant, Steve Orlofsky and Kavita Chandran)