Police in the United Kingdom said today they have arrested a 21-year-old man as part of an investigation into a cyberattack against children's educational toy maker VTech, which the company said potentially exposed the private information of millions of adults and children.
The man, who has not been charged, was not identified by police. He is being held on suspicion of unauthorized access to a computer to facilitate the commission of an offense, according to a statement from police. The arrest was made by the South East Regional Organised Crime Unit (SEROCU) in Bracknell, a town about 30 miles west of London.
Craig Jones, head of the cybercrime unit at SEROCU, said in a statement posted online officials are still in the early stages of the investigation. It was unclear what led police to the 21-year-old man and no further details were provided.
VTech makes kid-friendly gadgets, including the InnoTV, which is a gaming system, tablets under the InnoTab brand, and a smartwatch and action camera under its Kidizoom line.
The scope of the VTech cyberattack in November was global. The Hong Kong-based company said its customer database includes people in various countries: the United States, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Hong Kong, China, Australia and New Zealand, in addition to various Latin American countries.
VTech said 4,854,209 parent accounts and 6,368,509 related kid profiles were affected by the security breach, after its Learning Lodge store, a portal where customers can download educational content to their child-friendly VTech devices, had been accessed by an unauthorized party Nov. 14.
VTech's customer database includes "general user profile information," according to the company.
That includes a customer's name, email address, password, secret question and answer for retrieving a lost password, IP address, mailing address and download history. In addition, VTech says its “database also stores kids’ information including name, genders and birthdates.”
The company said credit card data was not exposed because payments are sent to a secure, third-party payment gateway. During this time, the company said in a statement posted online its Learning Lodge is temporarily suspended.
"We apologize for the inconvenience caused by the cyberattack and appreciate your patience while we work to ensure the security of the VTech Learning Lodge," the statement said.