Millions of children have had their personal data stolen after hackers attacked VTech Holdings Ltd. (0303.HK).
The Hong Kong-based toymaker described the hacking as the largest known theft of children’s personal details, Reuters reports.
It said more than 6.4 million children and nearly five million adults were affected.
The attack targeted its Learning Lodge app store and Kid Connect messaging system.
Security experts said they expect the size of the breach to prompt governments to scrutinize VTech and other toymakers to review their security.
“The disclosure of the scope of the breach is disturbing,” said Jaclyn Falkowski, a spokeswoman for Connecticut’s attorney general.
Connecticut and Illinois said on Monday they plan to investigate the breach.
Regulators in Hong Kong are also looking into the matter.
“This breach is a parent’s nightmare of epic proportions,” said Seth Chromick, a threat analyst with network security firm vArmour.
“A different approach to security for all organizations is needed.”
Chris Wysopal, co-founder of cyber security firm Veracode, said it could be a wake up call for families in the same way that the hack on infidelity website Ashley Madison earlier this year made adults realize online data might not be safe.
VTech said in a statement that children’s profiles included name, gender and birth date.
Stolen adult data included name, mailing address, e-mail address, password retrieval questions, IP address and passwords.
The most VTech customers affected were in the United States, followed by France, the United Kingdom, Germany, Canada, Spain, Belgium and the Netherlands.
Shai Samet, a security expert who audits toymakers for compliance with the US government’s Children’s Online Privacy Protection Act, said he believed the case would lead many toy companies to “rethink” security protections on children’s data.
Technology news site Motherboard, which broke news of the breach last week, reported that the person who claimed responsibility for the hack said “nothing” would be done with the stolen information.
Security experts were skeptical, noting that the stolen data could be worth millions of dollars.
– Contact us at [email protected]