VTKLY VTech Holdings Ltd (PK)

HONG KONG—VTech Holdings Ltd. is still in the dark over the identify of a hacker who stole the personal information of millions of children and adults, Chairman Allan Wong said, and it may be weeks before its education websites resume service.

In late November, the maker of learning products for toddlers disclosed that an "unauthorized party" hacked into its database and stole information including the names and birth dates of 6.4 million children and 4.9 million adults as well as headshots and chat messages. Almost half the accounts hacked were in North America, VTech's top market, which contributed nearly half of the company's $928 million revenue for the six months ended September.

VTech says its education websites, which include an app store for learning games, e-books and other educational content, have been suspended since Nov. 29 as the company investigates the breach.

"Certainly there is financial impact to us in this whole incident by not having the service online before Christmas, but our top priority is on getting the data secured," Mr. Wong, who is also chief executive, said in an interview with The Wall Street Journal. It is too early to put a figure on the financial impact, he added.

The breach highlights the risks of digital toys that require users to register personal information.

The case has attracted global attention. Attorneys general in several U.S. states including Illinois and Connecticut have said they are investigating VTech's privacy measures. New York-based Rosen Law Firm is seeking class-action status in a lawsuit on behalf of U.S. buyers of VTech devices who used the company's online services. In a statement, the firm blamed the breach on oversights by VTech. The company declined to comment.

In Hong Kong, the office of the privacy commissioner for personal data, an independent body that oversees data privacy, says it is investigating how VTech safeguards personal data. In Britain, where 1.3 million accounts were compromised, the Information Commission's Office, an independent data-protection body, said it is also investigating the matter.

Mr. Wong said the company is cooperating with law-enforcement officials globally.

"For VTech the issue now is how much it's going to cost in terms of legal fees and penalties," said Paul Haswell, a partner at legal-services firm Pinsent Masons. On top of potential class-action settlements, the company could face fines or individual suits, he said.

VTech said a journalist with Vice Media LLC informed it that its Learning Lodge system—which requires parents and children to register with names, email addresses and mailing addresses before downloading educational games—had been breached. Mr. Wong said he and his team spent the days after learning about the breach on Nov. 24 verifying and assessing the hack before informing users Nov. 27 and suspending online services two days later.

The 65-year-old Mr. Wong, who called the attack "sophisticated and well-organized," said even as the company asked users to change passwords, it wasn't "100% sure of the extent of the hack."

"We know there are certain security aspects we can further improve in our system," he said.

Cybersecurity experts say that VTech's database was weakly protected and had flaws including encryption that made passwords easily recoverable with methods such as the one used in this case—an SQL injection attack, a common way of hacking such sites. Other information, including names, birth dates and genders, wasn't encrypted, VTech said, and neither credit-card information nor social-security numbers were breached.

Last week, VTech said it has hired Mandiant, a cybersecurity forensic team from computer-security firm FireEye, to investigate the hack and improve security. Mr. Wong says the company is considering ways to tighten access and strengthen encryption, but didn't elaborate, saying the investigation is still in early stages.

Mr. Wong, who has a 3-year-old grandson, said he sympathizes with parents concerned over having sensitive information about their children leaked, but that it is unrealistic to bar children from the Internet. Rather, the industry must ensure that online toys and games are as secure as physical ones, he said.

Experts say VTech's breach is wake-up call to other companies.

"This case shows that the concept of a data breach is not just one that concerns a large bank or government agency," said Jonathan Fairtlough, managing director at cybersecurity investigator Kroll. "If a company has any data about its customers, there is the possibility it may be exposed."

Write to Anjie Zheng at Anjie.Zheng@wsj.com

(END) Dow Jones Newswires

December 08, 2015 03:15 ET (08:15 GMT)

Copyright (c) 2015 Dow Jones & Company, Inc.