FAQ about Cyber Attack on VTech Learning Lodge (last updated: 17:00, March 17, 2016, HKT)

Home / Press Release / FAQ about Cyber Attack on VTech Learning Lodge (last updated: 17:00, March 17, 2016, HKT)

FAQ about Cyber Attack on VTech Learning Lodge (last updated: 17:00, March 17, 2016, HKT)

Last updated: 17:00, March 17, 2016 (HKT)

About the Re-opening of Learning Lodge

1. When did the Learning Lodge go back online?

2. What services are now back online?

3. What can I expect to see when I connect back to the Learning Lodge?

4. Can I delete my Learning Lodge account?

5. Can I register a new product on Learning Lodge account?

6. Can my product use the app store now?

7. What about Kid Connect?

8. What about PlanetVTech and other suspended websites?

 

About the incident

9. I have heard that there was a data breach on a VTech website – can you confirm if this is true?

10. What websites were affected?

11. When did you find out about the breach?

12. When did you inform customers and the public about the incident?

13. How many customers are affected?

14. Could you provide a breakdown of number of people affected by each country?

15. How did the hacker get into your database?

16. It is reported that the UK police has arrested a 21-year-old man in connection with the hacking. Do you have any comment to make?

17. What kind of information is in the databases?

18. Was any credit card information stolen?

19. Why do you need to retain this customer information?

20. Is there anything I can do to better protect myself?

21. What are VTech doing to protect data stored on Kid Connect?

22. Have VTech informed their customers?

23. Have VTech reported the case to any authorities? Are you being investigated?

 
 
1. When did the Learning Lodge go back online?

Key functions of Learning Lodge and the app store for selected products went back online on Saturday, January 23, 2016 HKT.

Back to top

2. What services are now back online?

Customers of Learning Lodge connected products are now able to securely register accounts for new products, manage their existing accounts and change passwords. The Learning Lodge app store has also re-opened for all connected products. For the complete list of opened services and supported products, please refer to the table.

Back to top

3. What can I expect to see when I connect back to the Learning Lodge?

For existing Learning Lodge customers using the Download Manager installed on a PC/Mac:

  • Your Learning Lodge program will be automatically updated and installed on your computer
  • You will be asked to change your password
  • You also need to provide a parental consent for data collection from your children

For InnoTab/Storio MAX customers with an existing Learning Lodge account:

  • You need to access “Parental Control” for a firmware update
  • You will be asked to change your password
  • You also need to provide a parental consent for data collection from your children

Back to top

4. Can I delete my Learning Lodge account?

Yes. You can use either the Learning Lodge program or a web browser to do so. Please refer to the Learning Lodge download webpage of your region for detailed information. However, VTech will need to keep a copy of your account data for a time in order to be able to respond to potential legal inquiries regarding the breach. But VTech will not access or process that data other than to respond to such inquiries.

Back to top

5. Can I register a new product on Learning Lodge account?

Customers of Learning Lodge connected products can now register their new products securely. For the complete list of supported products, please refer to the table.

Back to top

6. Can my product use the app store now?

All Learning Lodge connected products are now able to use the app store. Please check out here for the full list of opened services and supported products.

Back to top

7. What about Kid Connect?

Kid Connect remains suspended at this time. We apologise for the continued inconvenience. We are working as fast as we can to bring it back online.

Back to top

8. What about PlanetVTech and other suspended websites?

PlanetVTech will not be re-opened. We currently have no plan to re-open the other websites and services.

Back to top

-

9. I have heard that there was a data breach on a VTech website – can you confirm if this is true?

While the forensic investigation is still underway, the information we currently have indicates that on or about November 12, 2015 HKT an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database, the PlanetVTech website, and Kid Connect servers. Learning Lodge allows our customers to download learning games, e-books and other educational content to their VTech products. Kid Connect is a service that allows children and parents to exchange voice and text messages, photos, drawings and fun stickers between VTech tablets, DigiGo and parents’ smartphones. PlanetVTech was a website that provided interactive games for children.

Back to top

10. What website was affected?

VTech's Learning Lodge app store customer database was affected and servers of PlanetVTech and Kid Connect accessed. As a precautionary measure, we have suspended Learning Lodge, the Kid Connect service and the following websites temporarily on November 29, 2015 HKT whilst we conduct a thorough security assessment.

  • www.planetvtech.com
  • www.lumibeauxreves.com
  • www.planetvtech.fr
  • www.vsmilelink.com
  • www.planetvtech.de
  • www.planetvtech.co.uk
  • www.planetvtech.es
  • www.proyectorvtech.es
  • www.sleepybearlullabytime.com
  • de.vsmilelink.com
  • fr.vsmilelink.com
  • uk.vsmilelink.com
  • es.vsmilelink.com

Back to top

11. When did you find out about the breach?

We received an email from a journalist asking about the incident on November 23, 2015 EST. After receiving the email, we carried out an internal investigation and on November 24, 2015 detected that some irregular activity took place on our Learning Lodge website on or about November 14, 2015 HKT. Our investigation confirmed on November 26, 2015 HKT that a breach had occurred. We immediately began a comprehensive check of the affected sites and are taking thorough actions against future attacks.

Back to top

12. When did you inform customers and the public about the incident?

  • After confirming the facts surrounding the unauthorized access to our customer database, we published a statement on our global website on Friday, November 27, 2015 HKT outlining the details of the data breach. On the same day, we sent email notification of the incident to all affected Learning Lodge and Kid Connect account customers.
  • We published a second statement on Monday, November 30, 2015 HKT.
  • A third press release with additional information was published on Thursday, December 3, 2015 HKT.
  • A fourth statement about the re-opening of Learning Lodge was published on Monday, January 25, 2016 HKT.

Back to top

13. How many customers are affected?

Our Learning Lodge, Kid Connect and PlanetVTech customers are affected. Here are the details:

a. Learning Lodge

In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected. Among those approximately 6.3 million kid profiles, approximately 1.2 million of them have Kid Connect service enabled. Kid profiles only include name, gender and birthdate.

b. PlanetVTech

There are 235,708 parent accounts and 227,705 kids’ profiles in PlanetVTech.

Back to top

14. Could you provide a breakdown of number of people affected by each country?

According to our current information, the breakdown of Learning Lodge customers by country is as follows:

Country Parent Accounts Child Profiles
United States 2,212,863 2,894,091
France 868,650 1,173,497
United Kingdom 560,487 727,155
Germany 390,985 508,806
Canada 237,949 316,482
Others 168,394 223,943
Spain 115,155 138,847
Belgium 102,119 133,179
Netherlands 100,828 124,730
Republic of Ireland 40,244 55,102
Latin America 28,105 36,716
Australia 18,151 23,096
Denmark 4,504 5,547
Luxembourg 4,190 5,014
New Zealand 1,585 2,304

Back to top

15. How did the hacker get into your database?

We are currently investigating how the hacker was able to access the database. What is clear is that this was a criminal act and a well-planned attack. Our Learning Lodge, Kid Connect and PlanetVTech databases have been attacked by a skilled hacker. Upon discovering the breach, we immediately began a comprehensive check of the affected sites and are taking thorough actions against future attacks. Based on our latest investigation, all other VTech online sites have not been affected.

Back to top

16. It is reported that the UK police has arrested a 21-year-old man in connection with the hacking. Do you have any comment to make?

As the investigation is on-going, other than the information announced by the South East Regional Organised Crime Unit (SEROCU) in the UK, there is no further information available at the moment.

Back to top

17. What kind of information is in the databases?

  • Our databases contain Learning Lodge and Kid Connect data with details listed below:
    a. Learning Lodge

    - Parent account information including name, email address, secret question and answer for password retrieval, IP address, mailing address, download history, history of device purchases, and password.

    - Kid profiles created by parents, including child's name, gender and birthdate.

    - Progress logs to track kids games, for parents’ reference.

    b. Kid Connect

    - Parent account information including email address and password, and parent and child profile photos and user names.

    - Kid Connect chat and voice messages and photos (sent by kids or parents).

    - Bulletin board postings made by parents and their children.

    c. PlanetVTech

    - Parent account information including name, email address, secret question and answer for password retrieval, mailing address, history of device purchases, and password.

    - Kid profiles created by parents, including child’s name, avatar name, password, gender and birthdate.

    - Game score.

  • Our databases do not contain any credit card or debit card or other financial account information. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
  • Our databases do not contain ID card numbers, Social Security numbers, driving license numbers or similar data.

Back to top

18. Was any credit card information stolen?

No, our Learning Lodge website database does not contain any credit or debit card or other financial account information, and VTech does not process or store any customer credit or debit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.

Back to top

19. Why do you need to retain this customer information?

Learning Lodge allows our customers to download learning games, e-books and other educational content to their VTech products. Customers need to set up an account for such transactions. The information is used to identify the customer, market our content and track their downloads.

Back to top

20. Is there anything I can do to better protect myself?

We are advising you to immediately change your passwords and secret questions and answers on any other sites or services that may use the same password or secret question and answer as those formerly used on Learning Lodge or PlanetVTech. When you log in to the re-opened Learning Lodge site, you will be asked to create a new password.

Back to top

21. What are VTech doing to protect data stored on Kid Connect?

The Kid Connect service has been temporarily suspended. We are reviewing our security protocols and will delete all Kid Connect bulletin board contents and unsent messages before we restart the service.

Back to top

22. Have VTech informed their customers?

Yes, we have communicated the breach with our customers and the general public. We have posted statements and press releases on our website. We will add additional notices when appropriate.

Email has been set up to handle any enquiries as follows:

Back to top

23. Have VTech reported the case to any authorities? Are you being investigated?

We have appointed data security legal specialists who are liaising with local authorities, including law enforcement agencies investigating the hacking incident.

Back to top