Late last month, toy maker VTech was hit with a debilitating attack that resulted in an incredible amount of customer data winding up in the wrong hands. Given VTech's abysmal security measures, it's hard to consider it being a "victim" in this attack. Rather, its millions of customers are the ones at risk.
This morning, UK police issued a press release to say that they arrested someone who they believe was behind this attack. A name is not provided, but we are told it was a 21-year-old male from Bracknell, in southeast England. The official charges include using a computer to commit an offense, and gaining unauthorized access to data.
The release reads: "We are still at the early stages of the investigation and there is still much work to be done. We will continue to work closely with our partners to identify those who commit offences and hold them to account."
So-called "cyberattacks" are nothing new, but their reach is ever-growing. "Cyber crime is an issue which has no boundaries and affects people on a local, regional and global level," says Craig Jones, head of the cyber crime unit at SEROCU.
As a result of the breach, the attacker walked away with at least 190GB worth of customer data, which included names, addresses, email addresses, photos, and even detailed chat logs between parents and children.
While it could be argued that it's needless for a mere toy to capture and send that kind of information back to VTech's servers, the company's level of security was so poor that an attack like this was truly inevitable. A lot of information was stored in plain text, including passwords, and that of course implies salts weren't used. Further, no SSL was used to transmit this sensitive data. Ultimately, the attacker gained access to VTech's servers through SQL injection. After gaining root to the system, he began downloading this massive trove of data.
In this day and age, it's really something to see a company have so little security that it might as well be considered non-existent. VTech has a lot of cleaning-up to do not only with regards to its security protocols, but also with shattered customer relations.