Electronic toymaker VTech said Tuesday that the hacker or hackers who infiltrated the company's computer systems gained access to data from nearly 6.4 million profiles belonging to children.
The Hong Kong-based firm said the security breach was discovered on Nov. 24, more than a week after it occurred. Hackers were able to access email addresses, passwords, mailing addresses and more, as well as the names and birth dates of some children who used VTech's toys and tablet computers.
Overall, nearly 4.9 million parent accounts were compromised, which were connected to 6.37 million related children's profiles, VTech revealed on Tuesday. The largest number of accounts accessed were created in the U.S. (more than 2.2 million), followed by France (868,650) and the U.K. (560,487).
Hong Kong's Office of the Privacy Commissioner for Personal Data (PCPD) announced it was commencing a "compliance check" on Tuesday to determine if VTech had done enough to safeguard its data before the attack and was taking steps to bolster security after.
"VTech indicated that they would notify the PCPD formally about this data leakage incident which involved data of 5 million customers accounts and related kids profiles worldwide," Stephen Wong, the PCPD's privacy commissioner for personal data, said Tuesday in a statement.
Punishment for non-compliance can include a fine of more than $6,000 and two years in jail under law in Hong Kong. The stakes are higher for the person who stole the data. If found guilty of causing "psychological harm" to users, the hacker could face a fine of nearly $130,000 and five years in jail.
VTech said that no credit card information was stolen in the breach.
VTech said Tuesday in a FAQ that it could not confirm a Motherboard report that the hacker obtained children's photos as well as audio and chat logs from VTech's Kid Connect messaging service, because its "investigation is ongoing."
The company did say that audio files and photos shared on Kid Connect are protected by AES128 encryption, while the chat logs are not.