Sphero – a Hong Kong manufacturer of programmable robots and educational tools – has suffered an apparent security breach exposing the personal data of a million educators and students.
On Monday, antivirus review website SafetyDetectives reported that sensitive data, appearing to belong to Sphero users, had been stolen and published online. However, the Office of the Privacy Commissioner for Personal Data (PCPD) told HKFP that it has not received any report from the firm.
When HKFP asked Sphero whether they had informed users of the breach, and why they failed to inform the authorities, a spokesperson on Thursday refused to comment.
Sphero creates kits and robots for coding, science, music, and art classes.
“The hacker supposedly found and exploited multiple vulnerabilities in Sphero’s security infrastructure, allowing them to steal sensitive data and personally identifiable information,” the SafetyDetectives cybersecurity report said, referring to an online darknet post. “In subsequent postings, the attacker added that more bugs were identified in the backend of Sphero’s systems. The security lapse enabled the hacker to conduct a massive account takeover.”
The “darknet” refers to a version of the internet with restricted access, sometimes used for illegal activity owing to its privacy benefits. The darknet forum post included user information such as full names, emails, birthdays, profile photo URLs, job roles, location and bios.
The PCPD told HKFP on Thursday that they will contact Sphero “to ascertain if the company has any operation in Hong Kong and if any data subjects in Hong Kong are affected.”
The firm lists a Kwai Fong property as its international office, alongside a US warehouse.
SafetyDetectives warned that the leaked data could be used for scams or identity theft: “In line with its responsible disclosure principles, the SafetyDetectives team reached out to Sphero to report the potential breach and got in touch with an official representative. They requested to view the forum post, potentially to confirm the veracity of the leak. We shared the link to the post with Sphero and are awaiting further response.”
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.