- Nov 15, 2016
- 867
Message From FTC to Toymakers: Don't Mess With Kids' Privacy
The U.S. Federal Trade Commission says it has reached a settlement with Hong Kong toymaker VTech, which in late 2015 exposed sensitive personal data for millions of children and parents because of a security vulnerability.
The U.S. Federal Trade Commission says it has reached a settlement with Hong Kong toymaker VTech, which in late 2015 exposed sensitive personal data for millions of children and parents because of a security vulnerability.
The $650,000 settlement is the first one reached with an internet-connected toymaker over security and privacy concerns, the FTC says in a Monday news release. Its settlement was announced the same day as the Justice Department filed a complaint against VTech.
The FTC accused VTech of not taking reasonable steps to protect personal information and failing to clearly inform parents of the child data it collects.
In response, VTech says it is pleased to resolve the two-year investigation but "does not admit any violations of law or liability." VTech maintained that since the breach it has "adopted rigorous measures to strengthen the protection of our customers' data."
The FTC's action against VTech shows regulators are becoming more interested in the security and privacy of data handled by internet of things devices. Some manufacturers are increasingly incorporating connected capabilities into toys. But security experts have warned that too often, their implementations fail to heed accepted information security practices.
SQL Injection Attack
In November 2015, VTech revealed the compromise of its Learning Lodge, an app store with games and educational content, as well as Kid Connect, a service that lets parents communicate with children via connected toys. Kid Connect contained chat logs and children's photos (see Toymaker VTech Hacked: 200,000 Kids' Data Exposed).
Kid Connect setup screen. (Source: Justice Department complaint)
The hack came to light after a hacker reached out to a Vice Media journalist, who then contacted VTech. The hacker claimed to have accessed the data via a SQL injection flaw, one of the most common types of web application vulnerabilities.
All told, VTech said the breach affected 5 million accounts and kids' profiles in three dozen countries. The exposed data in the profiles included children's names, genders and birthdates. Also included were email addresses, passwords, secret questions and answers for password recovery, IP addresses, mailing addresses and download histories.
When the breached occurred, 2.25 million parents in the United States had created accounts on VTech's Learning Lodge for 3 million children. Of those child accounts, 638,000 were for Kid Connect and 130,000 for Planet VTech, which was a web-based gaming and chat platform.
The exposure of static information about children struck a nerve, especially in an age of rampant identity theft. Some of VTech's products allow children to record messages for their parents, which were retrievable over the internet. Recordings were exposed in the breach.
The breach sparked enquiries from lawmakers and regulators worldwide, including the FTC, Hong Kong's Privacy Commissioner for Personal Data and Canada's Office of the Privacy Commissioner.
Some 500,000 people were affected by the breach in Canada. The country's Privacy Commissioner said Monday that its investigation, conducted with the FTC, found "a number of significant security shortcomings.
Unreasonable Security
The FTC took particular issue with how VTech collected personal information. The regulator alleged that the company did not adequately inform parents about its data collection practices for children, in a violation of the Children's Online Privacy Protection Act.
"With respect to Kid Connect, VTech failed to provide direct notice of its information collection and use practices to parents and did not link to its privacy policy in each area where personal information was collected from children," the FTC says.
Once personal data was collected, the FTC alleged that VTech did not safely store it. The regulator accused VTech of violating the FTC Act, which prohibits deceptive practices, for a privacy policy that falsely stated data sent via the Learning Lodge App is encrypted.
The complaint against VTech says the company did not protect data transmissions using HTTPS, and the collected data was not encrypted at rest, either.
The FTC also claims that VTech did not implement "reasonable measures" to protect its systems, such as implement intrusion detection technologies that would have alerted it to an unauthorized intrusion.
As part of the settlement, the FTC says VTech is prohibited from violating COPPA, must implement a data security program as well as submit to independent audits for 20 years.
Warning to Others
The settlement may demonstrate to other toymakers and IoT manufacturers that regulators are closely watching their data privacy practices (see Yes, Unicorns With Bluetooth Problems Really Do Exist).
The IoT security status quo is no longer adequate, says Laura DiDio, principal analyst with Massachusetts-based Independent Technology Intelligence Consulting, who notes that regulators worldwide are tightening data privacy rules, driven by the rising damage that data breaches have been causing consumers.
Companies "are going to be held accountable," she says.
