By Clare Baldwin and Donny Kwok
HONG KONG (Reuters) - The theft of toy maker VTech Holdings Ltd's database highlights a growing problem with basic cyber security measures at small, non-financial companies that handle electronic customer data, industry watchers said on Monday.
The hacked data at VTech included information about customers who download children's games, books and other educational content, the Hong Kong-based toy maker said. The breach also included information relating to children.
As more devices are connected to the Internet and as companies increasingly collect personal information about their customers, such attacks are expected to increase.
"Smaller companies might be targeted less often, but the implications ... can be just as serious," said Bryce Boland, Asia Pacific chief technology officer of cyber security firm FireEye. "As larger companies implement stronger security measures, smaller companies become relatively easy targets for cyber crime."
VTech has a market value of HK$21.9 billion ($2.8 billion). Tech giant Apple Inc has a market capitalization of $657 billion.
In VTech's case, information that should have been obscured and unrecoverable if the database were breached - such as passwords and secret answers - either wasn't obscured at all or was done so improperly, said Larry Salibra, founder and chief executive of crowd-sourced bug-testing platform, Pay4Bugs.
Salibra said these types of security measures were basic best practices that don't require a lot of money. "This seems to be a trend. Hardware manufacturers really don't value software skills - I would imagine because they don't see any immediate positive impact to their bottom line," Salibra said.
"Software talent is an easy place to be cheap with minimal consequences until something like this happens."
VTech said in a statement that about 5 million customer accounts and related children's' profiles worldwide were affected. It did not break out how many profiles belonged to parents and how many to children. News site Motherboard reported that data belonging to some 4.8 million parents and more than 200,000 children was taken.
The site said it had spoken to a hacker who claimed to be behind the attack, who said he planned to do "nothing" with the data. Motherboard's report could not be independently confirmed.
VTech said the breached database included names, email addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses, download histories and children's names, genders and birth dates.
The company, which sells children's tablets, electronic learning toys and baby monitors, said the targeted database did not include credit card information, ID card numbers, Social Security numbers or drivers licence numbers.
Vtech said it has taken steps to prevent further attacks but did not provide details. It said it has emailed every account holder.
Vtech's stock has fallen 22 percent this year. Shares and trade in other VTech securities were suspended on Monday morning.
(Reporting by Clare Baldwin and Donny Kwok; Additional reporting by Yimou Lee and Stella Tsang; Editing by Anne Marie Roantree and Bill Tarrant)