A 21-year-old man has been arrested in relation to the cyber attack on children's toy manufacturer VTech.
The suspect was detained in Bracknell, Berkshire and is being held under suspicion of "unauthorised access to a computer to facilitate the commission of an offence" and "causing a computer to perform a function to secure/enable unauthorised access to a program/data".
Officers from the South East Regional Organised Crime Unit (SEROCU) confirmed that a number of electronic items were seized in the arrest.
Craig Jones, head of the cyber crime unit at SEROCU, said: "We are still at the early stages of the investigation and there is still much work to be done. We will continue to work closely with our partners to identify those who commit offences and hold them to account.
"We are pursuing cyber criminals using the latest technology and working with businesses and academia to further develop specialist investigative capabilities to protect and reduce the risk to the public."
VTech admitted last month that over one million UK parent and child records were compromised following a cyber attack on its servers.
VTech announced on its FAQ page that 560,487 parent profiles and 727,155 child profiles were stolen by hackers.
The US was the most affected country, with 2,212,863 parent profiles and 2,894,091 child profiles compromised.
Despite reports that audio files and chat logs were also stolen, VTech said that it could not comment on the authenticity of the photos and recordings at the time.
"Audio files are encrypted by AES128, whereas chat logs are not encrypted. Our security protocols require that only undelivered messages are stored temporarily in our server. These messages are set to expire in 30 days," the firm explained.
The investigation into how the leak occurred found that the company server was breached, but according to VTech there is currently "no evidence" to suggest that individual toy products are unsafe.
Furthermore, VTech said there is no indication that any of the stolen data had been used or distributed online.
"Whilst all personal customer passwords are encrypted, even encrypted data can be susceptible to skilled hackers," said the firm.
"We are advising you to immediately change your passwords on any other sites that may use the same email, secret question and answer, and password combination."
After the initial hack it was revealed that up to 190GB of private images and a huge cache of personal chat logs between parents and their children were among the data stolen, according to Motherboard.
The data included five million customer records covering names, addresses and passwords alongside roughly 200,000 personal details of children.
The data was stolen from VTech's Kid Connect service that allows parents to chat with their children using a smartphone linked to a VTech tablet.
"Frankly, it makes me sick that I was able to get all this stuff. VTech should have the book thrown at them," the apparent hacker told Motherboard.
"I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech's app store]. I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames of everyone in their Kid Connect contacts list."
Furthermore, the hacked server contained numerous audio files and chat logs of conversations between parents and children. "Roses are red vilets [sic] are blue and I love you. Mommy and daddy," read one of the messages.
The hacker has claimed he will not release the images or chat logs online or sell them on the dark web.
VTech customer services said in a statement sent to V3: "We would like to offer our sincere apologies regarding this issue and assure you that we are treating the matter extremely seriously.
"We are waiting to be updated from our headquarters in Hong Kong about this issue, and as soon as we have any more information we will keep all of our customers informed. We apologise profusely again for this matter."
VTech told V3 that the data was "in an encrypted state" and that it has now taken the Learning Lodge system offline to update its security.
"This update will strengthen the platform and protect data further so that problems like this do not arise in the future," the firm said.
The company, which makes electronic education toys for children, discovered on 14 November that its Learning Lodge portal, used to let customers buy apps, games, e-books and other content for VTech products, had been breached.
“Upon discovering the unauthorised access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks,” VTech said in a statement.
The situation was discovered only after the company was asked by a journalist in Canada on 23 November whether there had been a data breach.
VTech admitted that the breach had left a huge amount of information exposed to the hackers, although one small positive was that financial information was not stolen.
“Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history,” the firm said.
“It is important to note that our customer database does not contain any credit card information, and VTech does not process or store any customer credit card data on the Learning Lodge website.”
Dangerous data theft for parents, and their children
The scale of the hack, and the fact that it includes information on children, has led to an outcry from security experts, who warned that firms still fail to take the safety of customer data seriously.
Security expert Troy Hunt said that the breach was one of the worst to have occurred this year, given that information on children has been stolen. This makes it easy for hackers to identify parents and children.
"When it’s hundreds of thousands of children, including their names, genders and birth dates, that’s off the charts," he wrote in a blog post.
"When it includes their parents as well, along with their home address, and you can link the two and emphatically say 'Here is nine-year-old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)', I start to run out of superlatives to even describe how bad that is."
James Romer, chief security architect for Europe at SecureAuth, was equally critical of the breach, noting just how widespread the impact could be.
“Children are a valuable target for hackers as they potentially won’t know that their identity has been compromised until they are much older and reliant on credit checks. This kind of breach is simply not acceptable," he said.
"Organisations, particularly those who hold this kind of information, must invest in advanced security systems alongside adaptive authentication for their users to mitigate the chances of this happening and render any stolen assets worthless."
Romer added that the hack should be a wake-up call for any organisation that handles personal data to have strong security in place, as any information is a tempting targeting for hackers.
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons