‘This is a wake-up call for Hong Kong’: VTech data hack reveals cybersecurity not taken seriously by local businesses
Pundits urge local companies to step up their defences in wake of hacking of children’s learning products maker, one of the most scandalous corporate data breaches in the city in recent years.
In a swift response, Hong Kong’s privacy commissioner Stephen Wong Kai-yi said Tuesday an investigation has been launched to look into VTech’s system of collecting personal data and the safeguards used to protect that information.
VTech said in a Hong Kong stock exchange filing that about five million customer accounts, including the profiles of more than 200,000 children, were broken into from its Learning Lodge app store database on November 14. The company said it discovered the breach on Tuesday of last week.
The ransacked digital information included customers’ names, email addresses, passwords and download history, as well the names, gender and birth dates of children who used the Learning Lodge site to get apps, games and electronic books.
VTech, however, “left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents”, according to a new report by online magazine Motherboard based on its interview with the unidentified hacker.
The report said the hacker, who shared a sample of 3,832 image files with the online publication for verification, did not intend to publish or sell the data he obtained from VTech.
VTech has not responded to the South China Morning Post’s inquiries about the number of affected Hong Kong customers, as well as the reported children’s pictures and chat files.
“Under the restrictions of the law, we cannot disclose details of an ongoing investigation, but since it involves a lot of sensitive data, the case is of a serious nature and we are looking into it,” said the privacy commissioner.
Experts described the massive hacking at VTech, also known as the world’s largest maker of cordless telephones, as a big blow to Hong Kong’s longstanding efforts to protect personal data.
Lawmaker Charles Mok said many Hong Kong companies “still do not know how to comply with data privacy regulations in Hong Kong”, which came into force back in 1996.
Paul Haswell, a partner at law firm Pinsent Masons, said he hoped that the VTech incident would lead to an amendment of existing data privacy laws so that stiffer penalties can be slapped on those who fail to comply.
“This is a wake-up call for Hong Kong: The first high-profile data breach suffered by a Hong Kong company that is likely to have worldwide ramifications,” Haswell said.
Michael Gazeley, the managing director at security services provider Network Box, said most Hong Kong firms do not take cybersecurity risks seriously enough.
“The current level of denial within organisations about the need for effective cybersecurity would make an ostrich proud,” Gazeley said.
“It’s 2015, not 1985. Organisations cannot stick their heads in the sand.”