Data including email addresses, home addresses, security questions and answers, children’s names and dates of birth, as well as easily-reversible passwords were exfiltrated from VTech’s servers via an elementary SQL injection attack.
Although the hacker who accessed the information said he had no plans to publicly release the stolen data, that was little comfort for the company’s customers. After all, if such a rudimentary attack had managed to expose so much sensitive information, there was every possibility that other more maliciously-minded attackers might have also grabbed the details.
Furthermore, concerns were raised that the company may have violated privacy laws by collecting personal information from young children without providing direct notice and obtaining parents’ verified consent, as well as failing to properly secure the details.
Two-and-a-bit years later, VTech has agreed to pay $650,000 after the US Federal Trade Commission (FTC) brought a privacy lawsuit against the technology company.
As well as the financial penalty, VTech is permanently prohibited from violating the Children’s Online Privacy Protection Act (COPPA) which requires that firms collecting personal data online from children under the age of 13 must follow steps to ensure the data s protected, and that a parent has given consent for the creation of the account.
In addition, VTech is required to beef up its security program, and subject itself to independent audits for the next 20 years.
“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen. “Unfortunately, VTech fell short in both of these areas.”
VTech may well have fallen short, but I note that the settlement, one of the first reached with an internet-enabled toy manufacturer over security and privacy concerns, lets the firm off the hook in one key area: it does require VTech to admit to any wrongdoing.
In the grand scheme of things a $650,000 fine and the other measures imposed by the FTC are not world-shaking. Unless we see larger fines and companies made to admit their failings when it comes to securing their customers’ data, I’m not sure we’re going to see enough businesses making internet-enabled devices give information security the priority it so desperately requires.