Parents are saying that a popular toymaker got off easy after a massive breach exposed millions of parents and kids.
On Monday, electronic toymaker VTech Electronics, the Hong Kong-based parent company of LeapFrog, agreed to settle the children's privacy lawsuit for $650,000, and critics are calling it a shockingly low fine, making it all the more tempting for parents to set their kids' devices on fire.
The settlement comes two years after a major breach in which data from 2.25 million parents for nearly 3 million children were exposed, says the Federal Trade Commission. The toymaker will have to pay the fine within the next seven days and be subject to independent audits for 20 years.
In November 2015, the Motherboard revealed that a hacker broke into VTech servers and found names, emails, passwords, home addresses, birthdays, and photos of millions of parents and kids. The biggest breach was through the product Kid Connect, which allows parents with smartphones to communicate with their kids through texts, 10-second voice messages, drawings, photos and more. Apparently, VTech stored years' worth of chat logs online that was easily accessible to hackers.
"I can get a random Kid Connect account, look through the dump, link them to their circle of friends and the parent who registered at Learning Lodge (VTech's app store)," the hacker told Motherboard. "I have the personal information of the parent and the profile pictures, emails, (Kid Connect) passwords, nicknames ... of everyone in their Kid Connect contacts list."
The FTC also said that, in addition, about 134,000 parents in the U.S. created Planet VTech accounts for 130,000 kids before November 2015. Planet VTech is a now defunct web-based gaming and chat platform. In both Kid Connect and Planet VTech, "parents were required to register and provide personal information including their name, email address, as well as their children’s name, date of birth and gender."
"This is all discoverable by using their websites precisely as they were intended to be used, which on the one hand means that it's easily obtainable information by anyone, yet on the other means that they could also have readily identified a whole raft of flaws themselves if only they’d looked," security researcher Troy Hunt told TechCrunch in 2015. "For example, there is no SSL anywhere. All communications are over unencrypted connections, including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we're well beyond the point of arguing this is OK—it's not."
I have the personal information of the parent and the profile pictures, emails, (Kid Connect) passwords, nicknames ... of everyone in their Kid Connect contacts list.
In a press release by VTech, the company said they have updated their data security policy and adopted "rigorous measures to strengthen the protection" of customers' data since the cyberattack. But "VTech does not admit any violations of law or liability."
The settlement isn't exactly a win to parents and children whose data were exposed.
"It’s hardly a heavy fine for a company that was selling millions of devices, and may embolden others weighing the cost of real security against the risk of being caught and fined," Devin Coldewey wrote in TechCrunch.
Additionally, the toymaker still seems to be chugging along with its smart toys. In late 2017, VTech released KidiBuzz, an Android-powered, multifunction smart device, which can also connect to the Learning Lodge and uses KidiConnect (which is branded differently from Kid Connect). KidiBuzz is marketed on their site as "a safe way to enjoy the latest tech" and "the perfect tech toy for kids."
Please excuse us while we run magnets over some devices and hard drives.