VTech has developed edutainment consoles since 1988, their first being the Socrates.
VTech was founded in Hong Kong in October 1976 by two local entrepreneurs, Allan Wong (Chi-Yun) and Stephen Leung. When the first single-chip microprocessor "Intel 4004" became available in the early 1970s, the company saw the potential it offered for portable consumer electronics products. Wong & Leung set up a small factory in To Kwa Wan, with a US$40,000 investment and a staff of 40 people. In the first year, turnover was less than US$1 million.
VTech initially focused on developing video games. In 1977, the company created its first home TV game console, a version of Pong. Since only consumers in North America and Europe could afford such items, the company targeted primarily these markets.
The United Kingdom was chosen as the first market for Pong, as Hong Kong and the UK used the same standard for television systems. In 1978, the founders introduced LED games they had developed to buyers from RadioShack in the US, which were sold under the RadioShack brand.
VTech then began to build its own brand. Starting in the early 80's, a line of electronic games would be manufactured. VTech unveiled its first electronic learning product, called "Lesson One", at the New York Toy Fair, in February 1980. It taught children basic spelling and maths. An exclusive version under the name "Computron" was offered to Sears, with the product being prominently advertised by Sears, in its catalogue, which was a popular shopping guide.
Next VTech made the video game console CreatiVision.
VTech then branched out into personal computers, including a series of IBM compatible PCs beginning in 1983, followed by Apple II compatible computers, beginning in 1985, including a model called Laser 128.
VTech exited the personal computer market in 1997, due to tight competition.
In 1985, the United States Federal Communications Commission (FCC) allocated the frequency band 900MHz to ISM (industrial, scientific and medical) devices. Taking advantage of this, VTech began development on a cordless telephone, using the 900 MHz band, and in 1991 introduced the world's first fully digital 900 MHz cordless telephone.
In 2000, to expand its cordless phone business, VTech acquired the consumer telephone business of Lucent Technologies. The acquisition also gave VTech the exclusive right for 10 years to use the AT&T brand in conjunction with the manufacture and sale of wireline telephones and accessories in the United States and Canada. Although the acquisition increased sales of VTech's telecommunication products by 50%, it led to operating losses and write-offs. The company issued a profit warning in March 2001 and launched a broad restructuring plan. By the financial year 2002, the company had turned around the business and returned to profitability.
Today, VTech's core businesses remain cordless telephones and electronic learning products. Its contract manufacturing services – which manufactures various electronic products on behalf of medium-sized companies, has also become a major source of revenue. The company has diversified geographically, selling to North America, Europe, Asia, Latin America, the Middle East and Africa.
2015 data breach
This section needs to be updated. (July 2016)
In November 2015, Lorenzo Bicchierai, writing for Vice magazine's Motherboard, reported that VTech's servers had been compromised and the corporation was victim to a data breach which exposed personal data belonging to 6.3 million individuals, including children, who signed up for or utilized services provided by the company related to several products it manufactures. Bicchierai was contacted by the unnamed attacker in late November, during the week before Thanksgiving, at which point the unnamed individual disclosed information about the security vulnerabilities with the journalist and detailed the breach.
Bicchierai then reached out to information security researcher Troy Hunt to examine data provided by the attacker to Bicchierai, and to confirm if the leak was indeed authentic and not an internet hoax. Hunt examined the information and confirmed it appeared to be authentic. Hunt then dissected the data in detail and published the findings on his website. According to Hunt, VTech's servers failed to utilize basic SSL encryption to secure the personal data in transit from the devices to VTech's servers; that VTech stored customer information in unencrypted plaintext, failed to securely hash or salt passwords.
The attack leveraged an SQL injection to gain privileged root access to VTech servers. Once privileged access was acquired, the attacker exfiltrated the data, including some 190 gigabytes of photographs of children and adults, detailed chat logs between parents and children which spanned over the course of years and voice recordings, all unencrypted and stored in plain text. The attacker shared some 3,832 image files with the journalist for verification purposes, and some redacted photographs were published by the journalist. Commenting on the leak, the unnamed attacker expressed their disgust with being able to so easily obtain access to such a large trove of data, saying: "Frankly, it makes me sick that I was able to get all this stuff. VTech should have the book thrown at them” and explained their rationale for going to the press was because they felt VTech would have ignored their reports and concerns.
VTech corporate security was unaware their systems had been compromised and the breach was first brought to their attention after being contacted by Bicchierai prior to publication of the article. Upon notification, the company took a dozen or so websites and services offline.
In an FAQ published by the company, they explain some 4,854,209 accounts belonging to parents and 6,368,509 profiles belonging to children had been compromised. The company further claims the passwords had been encrypted, which is contrary to reports by the independent security researcher contacted by Vice. The company indicated they were working with unspecified "local authorities." VTech subsequently brought in the information security services company FireEye to manage incident response and audit the security of their platform going forward.
Mark Nunnikhoven of Trend Micro criticized the company's handling of the incident and called their FAQ "wishy-washy corporate speak."
United States Senators Edward Markey and Joe Barton, co-founders of the Bi-Partisan Congressional Privacy Caucus, issued an open letter to the company inquiring as to why and what kind of information belonging to children is stored by VTech and how they use this data, security practices employed to protect that data, if children's information is shared or sold to third-parties and how the company complies with the Children's Online Privacy Protection Act.
In February 2016, Hunt publicized the fact that VTech had modified its Terms and Conditions for new customers so that the customer acknowledges and agrees that any information transmitted to VTech may be intercepted or later acquired by unauthorized parties.
In January 2018 the US Federal Trade Commission fined VTech $650,000 USD for the breach, around $0.09 per victim.