Cybersecurity , Data Breach

VTech Breach Suspect Arrested

Police Not Revealing Identity of 21-Year-Old
VTech Breach Suspect Arrested

Police in Britain have arrested a 21-year-old man on suspicion of "hacking offenses" related to the breach of Hong Kong toymaker VTech.

See Also: Managing Identity, Security and Device Compliance in an IT World

The Dec. 15 arrest of the man, whose identity was not revealed, was announced by England's Southeast Regional Organized Crime Unit. Authorities said he's being held on suspicion of violating section 2 of the Computer Misuse Act 1990, which refers to "unauthorized access with intent to commit or facilitate commission of further offenses."

VTech says the breach resulted in profiles relating to 11.2 million people - including 4.9 million adults' accounts and 6.4 million children's profiles - being exposed (see Why VTech Breach is So Bad - and So Avoidable).

In conjunction with the arrest of the man in Bracknell, England - 40 miles west of London - SEROCU reports that it seized "a number of electronic items" that will be subjected to digital forensic examination by its Cyber Crime eForensics Unit.

SEROCU declined to provide further details on the case, except to note Dec. 16 that the suspect has now been released on bail, and is due back in court on March 18, 2016.

"We are still at the early stages of the investigation and there is still much work to be done," says Craig Jones, who heads SEROCU's cybercrime unit. "Cybercriminality is affecting more and more business around the world, and we continue to work with our partners to thoroughly investigate often very complex cases."

VTech has apologized for the breach and said that it has hired FireEye's Mandiant to conduct a related digital forensic investigation and help it strengthen its security. "We are deeply shocked by this orchestrated and sophisticated attack on our network. We regret that users of Learning Lodge, Kid Connect and PlanetVTech, some of whom are colleagues, friends and families, are also affected," says Allan Wong, chairman and group CEO of VTech Holdings.

"We would like to offer our sincere apologies for any worry caused by this incident," Wong adds. "We are taking all necessary steps to ensure that our users can continue to enjoy our products and services, safe in the knowledge that their data is secure."

TalkTalk Attack Parallels, Differences

An alleged hacker who has claimed responsibility for the VTech breach told Vice Motherboard, a technology news site, that he used a SQL injection attack to steal the data. In that respect, the attack parallels the hack of London telecom giant TalkTalk. That breach, also being investigated by British police, resulted in the compromise of nearly 157,000 customers' personal details, including 15,000 customers' bank account information.

TalkTalk was compromised by what CEO Dido Harding has referred to as a "sequential attack," by which she appeared to be referring to a SQL - often pronounced as "sequel" - injection attack.

While the VTech suspect is age 21, the ages of the five TalkTalk hacking suspects arrested to date range from 15 to 20.

The TalkTalk breach also differs from the VTech incident in that Harding said the company had received a related ransom demand. And in November, in connection with the investigation, British police arrested an unnamed 18-year-old man on suspicion of blackmail (see TalkTalk Lesson: Prepare for Breaches).

TalkTalk CEO in the Hot Seat

More details about TalkTalk's information security defenses continue to come to light. On Dec. 15, the British Parliament's Culture, Media and Sport Committee conducted an inquiry into cybersecurity and protecting personal information online. Its sole witness was Harding, who was quizzed on the three separate TalkTalk data leaks that have occurred since December 2014.

Jesse Norman, the Conservative committee chairman, asked Harding who was responsible for TalkTalk's security. Harding replied that she was responsible - "before the attack and now" - due to cybersecurity being a board-level concern, according to the U.K. technology news outlet Computing.

But she also revealed that there is no single individual in the organization charged with overseeing information security, the Guardian reports. "The line responsibility for keeping our customers' data safe is split among a number of teams," Harding told the committee. "It's impossible in a telecoms company to say security only sits with a director of security. If there is a criminal attack, the question is was there a sufficient oversight by the board."

This story has been updated to note that the suspect arrested by SEROCU has been released on bail.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network