[BreachExchange] Toymaker VTech Settles FTC Privacy Lawsuit For $650, 000

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 9 20:23:42 EST 2018


The U.S. Federal Trade Commission says it has reached a settlement with
Hong Kong toymaker VTech, which in late 2015 exposed sensitive personal
data for millions of children and parents because of a security

The $650,000 settlement is the first one reached with the maker of an
internet-connected toy over security and privacy concerns, the FTC says.
Its settlement was announced Monday, the same day as the Justice Department
filed a complaint against VTech.

The FTC accused VTech of not taking reasonable steps to protect personal
information and failing to clearly inform parents of the child data it

In response, VTech says it's pleased to resolve the two-year investigation
but "does not admit any violations of law or liability." VTech maintained
that since the breach it has "adopted rigorous measures to strengthen the
protection of our customers' data."

The FTC's action against VTech shows regulators are becoming more
interested in the security and privacy of data handled by internet of
things devices. Some manufacturers are increasingly incorporating connected
capabilities into toys. But security experts have warned that too often,
their implementations fail to heed accepted information security practices.

SQL Injection Attack

In November 2015, VTech revealed the compromise of its Learning Lodge, an
app store with games and educational content, as well as Kid Connect, a
service that lets parents communicate with children via connected toys. Kid
Connect contained chat logs and children's photos (see Toymaker VTech
Hacked: 200,000 Kids' Data Exposed).

The hack came to light after a hacker reached out to a Vice Media
journalist, who then contacted VTech. The hacker claimed to have accessed
the data via a SQL injection flaw, one of the most common types of web
application vulnerabilities.

VTech said the breach affected 5 million accounts and kids' profiles in
three dozen countries. The exposed data in the profiles included children's
names, genders and birth dates. Also included were email addresses,
passwords, secret questions and answers for password recovery, IP
addresses, mailing addresses and download histories.

When the breached occurred, 2.25 million parents in the United States had
created accounts on VTech's Learning Lodge for 3 million children. Of those
child accounts, 638,000 were for Kid Connect and 130,000 for Planet VTech,
which was a web-based gaming and chat platform.

The exposure of static information about children struck a nerve,
especially in an age of rampant identity theft. Some of VTech's products
allow children to record messages for their parents, which were retrievable
over the internet. Recordings were exposed in the breach.

The breach sparked inquiries from lawmakers and regulators worldwide,
including the FTC, Hong Kong's Privacy Commissioner for Personal Data and
Canada's Office of the Privacy Commissioner.

Some 500,000 people were affected by the breach in Canada. The country's
Privacy Commissioner said Monday that its investigation, conducted with the
FTC, found "a number of significant security shortcomings.

Unreasonable Security

The FTC took particular issue with how VTech collected personal
information. The regulator alleged that the company did not adequately
inform parents about its data collection practices for children, in a
violation of the Children's Online Privacy Protection Act.

"With respect to Kid Connect, VTech failed to provide direct notice of its
information collection and use practices to parents and did not link to its
privacy policy in each area where personal information was collected from
children," the FTC says.

Once personal data was collected, the FTC alleged that VTech did not safely
store it. The regulator accused VTech of violating the FTC Act, which
prohibits deceptive practices, because a privacy policy falsely stated data
sent via the Learning Lodge App is encrypted.

The complaint against VTech says the company did not protect data
transmissions using HTTPS, and the collected data was not encrypted at
rest, either.

The FTC also claims that VTech did not implement "reasonable measures" to
protect its systems, such as implementing intrusion detection technologies
that would have alerted it to an unauthorized intrusion.

As part of the settlement, the FTC says VTech is prohibited from violating
COPPA and must implement a data security program as well as submit to
independent audits for 20 years.

Warning to Others

The settlement may demonstrate to other toymakers and IoT manufacturers
that regulators are closely watching their data privacy practices (see Yes,
Unicorns With Bluetooth Problems Really Do Exist).

The IoT security status quo is no longer adequate, says Laura DiDio,
principal analyst with Massachusetts-based Independent Technology
Intelligence Consulting, who notes that regulators worldwide are tightening
data privacy rules, driven by the rising damage that data breaches have
been causing consumers.

Companies "are going to be held accountable," she says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180109/bde73dc9/attachment.html>

More information about the BreachExchange mailing list