U.S. states to probe breach at digital toymaker VTech

By Jim Finkle (Reuters) - At least two U.S. states plan to investigate a breach at Hong Kong-based toymaker VTech Holdings Ltd, which surfaced late last week and exposed data of millions of customers who use a portal for downloading content including children's games. "We are aware of the breach and will be looking into it," said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen, said on Monday. "Illinois will investigate," said Eileen Boyce, a spokeswoman for Illinois Attorney General Lisa Madigan. They did not discuss the focus of the probes or say whether they were cooperating with other states, a common practice when multiple U.S. states investigate the same breach. Representatives with VTech could not be reached for comment. The company makes children's' tablets, educational digital toys and baby monitors. Security experts said the attack, which was disclosed on the crucial Black Friday start of the holiday U.S. shopping season, was noteworthy because it had exposed data of children. "The fact that the privacy of our most vulnerable little citizens was compromised by this breach is a scary thing," said Katie Moussouris, chief policy officer with HackerOne, a firm that helps businesses work with researchers to find cyber bugs. She said that toy manufacturers "are figuring out that they can capitalize on Internet connectivity and benefit from having more access to their customers data, but they have to learn to protect it too." VTech said in a statement late Friday that about 5 million customer accounts and related children's' profiles worldwide were affected. It did not break out the number of children's' profiles affected.The company said the stolen data included names, email addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download histories for adults along with names, genders and birth dates of children. The news site Motherboard said a hacker claimed responsibility for the attack but said he planned to do "nothing" with the data. Motherboard's report could not be independently confirmed. The company, which sells children's tablets, electronic learning toys and baby monitors, said the targeted database did not include credit card information, ID card numbers, Social Security numbers or drivers license numbers. Vtech said it has taken steps to prevent further attacks but did not elaborate. (Reporting by Jim Finkle in Boston. Additional reporting by Clare Baldwin and Donny Kwok in Hong Kong.; Editing by Chizu Nomiyama, Bernard Orr)