VTech is the latest in a long line of companies to make headlines for a data breach. But will this be the catalyst for new cyber security regulation?
The personal information of almost 5 million parents and more than 6 million children was stolen in November after a hacker broke into the servers of a company that sells kids toys and gadgets.
The breach of the Hong Kong-based company VTech included the names, email addresses, passwords and home addresses of parents and the first names, genders and birthdays of their children.
This is the fourth largest consumer data breach to date, according to the website Have I Been Pwned, the most well known repository of data breaches online.
Minter Ellison head of insurance and corporate risk (Asia) Will Harrison says the breach could lead to a change in Hong Kong’s cyber security legislation.
“There is no provision for mandatory reporting of data breaches in Hong Kong and no published proposals to introduce any such requirements. However, Hong Kong has a history of legislating in these areas only when there is a sufficient public outcry,” he says.
“It remains to be seen if the recent theft of thousands of children’s and their parents personal information from Hong Kong toy maker, Vtech, could lead to a change on this front.”
As a result of the breach, VTech’s stock price dipped to a year low and the firm has faced criticism for its poor security standards.
According to a Vice Motherboard report, which exposed the leak, the hack was perpetrated with an SQL injection – a simple and well-known hacking technique that firms should be prepared for.
The breach also highlights how digital products aimed at children often have far weaker security than other computer products, and may pose a threat to a booming industry.
Shipments of toys that connect to the Internet will rise 200% over the next five years, according to estimates by UK-based Juniper Research.
The VTech incident has reignited the discussion for data breach notification laws around the world.
Deloitte Southeast Asia financial services industry leader Ho Kok Yong believes that cyber security standards need to become centralised and global.
“Over time, there will be no choice. People will have to move towards one standard. The US standard is at one end of the scale and then [in Asia] you have the other end of the scale,” he says.
“Over time they will have to meet in the middle. The challenge is they have to do it faster and sooner rather than later because today’s businesses are really dependent on technology and cyber space.”
But Willis Singapore executive director Alex Thoms says that, regulation or not, “companies in Asia should be taking a very proactive approach to fully understanding their cyber risks, looking at the risk mitigants in place, and considering cyber insurance as a potential risk transfer solution”.
“The financial consequences of a cyber event can materially effect a company’s bottom line – whether directly as a result of fines, penalties, recovery costs and the like, or indirectly as a result of subsequent customer loss,” Thoms says.
“Ignoring cyber risk shouldn’t be an option.”