VTech Electronics Limited has agreed to pay $650,000 as part of a settlement agreement with the Federal Trade Commission (FTC) for a 2015 breach that exposed millions of parents' and children's data.
On 8 January, the United States District Court in the Northern District of Illinois (Eastern Division) processed an action (PDF) by which the FTC will obtain $650,000 in monetary penalties from VTech, a Hong Kong-based electronic toys manufacturer. The payment is part of a settlement agreement for a security incident that occurred back in November 2015 when an unauthorized party obtained VTech customer data housed in Learning Lodge, a platform which allows customers to download child-based games, apps, and other content. The breach, which VTech confirmed in a statement shortly thereafter, exposed the names, email addresses, encrypted passwords, mailing addresses, and other information of 4,833,678 parents who bought products from the company. It also compromised the names, genders, and birthdays of at least 200,000 kids along with photographs of the children and chats they had with their parents. For expert commentary on the breach, listen here. An investigation into how the incident occurred reveals VTech violated the Children’s Online Privacy Protection Act (COPPA), a rule which imposes requirements for operators of websites that collect information from children under 13 years of age. It did so in not linking to is Privacy Policy wherever parents submitted their children's information to register for Kids Connect, a communications service which necessitates parents first sign up with Learning Lodge. Furthermore, VTech failed to include specific disclosures of data collection in its Privacy Policy as mandated by COPPA, and it neglected to implement proper data security measures that could have protected customers' and their children's personal information. Lastly, the company misled customers about its use of encryption to protect their PII in transit. Travis Smith, a principal security researcher at Tripwire, feels these oversights are demonstrative of companies that neglect security for other concerns. As he told Archer News:
When you're trying to get a return on your investment and you want to get a device to market very quickly, security usually comes as an afterthought, or as a 'nice to have,' not a 'need to have.'"
In addition to paying the penalty, which some feel is hardly a heavy fine, VTech has agreed to a permanent injunction that prevents future violations of the FTC Act and the COPPA Rule. It will also award other relief that's deemed "just and proper" by the court.
