Toymaker VTech pays $650000 to settle complaint related to 2015 hack


The U.S. Federal Trade Commission says it has reached a settlement with Hong Kong toymaker VTech, which in late 2015 exposed sensitive personal data for millions of children and parents because of a security vulnerability.

On 8 January, the United States District Court in the Northern District of Illinois (Eastern Division) processed an action (PDF) by which the FTC will obtain $650,000 in monetary penalties from VTech, a Hong Kong-based electronic toys manufacturer.

The company also allegedly failed to protect the data it collected, allowing a hacker to gain access in late 2015, according to the complaint.

For expert commentary on the breach, listen here.

Back in 2015, a hacker had broken in to Vtech's systems and taken data from users who had registered accounts on the company's "Learning Lodge" app store. It did so in not linking to is Privacy Policy wherever parents submitted their children's information to register for Kids Connect, a communications service which necessitates parents first sign up with Learning Lodge.

The FTC alleged in its complaint that VTech, through its Kid Connect app that collected personal information from hundreds of thousands of children, failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices, as required under the Children's Online Privacy Protection Act. This included about 638,000 Kid Connect accounts for children. Data was also collected through a discontinued online platform called Planet VTech. VTech maintained that since the breach it has "adopted rigorous measures to strengthen the protection of our customers' data".

"The information was stored so that the children's information was linked to their parents" information.

At the end of 2015, details about a massive security breach at VTech emerged, revealing that hackers broke into the company's servers, gaining access to the customer accounts of nearly five million parents and over six million children worldwide. Information was also collected through the Kid Connect app, federal officials said. Close to 130,000 children's profiles were created on Planet VTech accounts.

The complaint against VTech says the company did not protect data transmissions using HTTPS, and the collected data was not encrypted at rest, either.

Beyond the fine, VTech must implement "a comprehensive data security program, which will be subject to independent audits for 20 years".

The FTC collaborated with the Office of the Privacy Commissioner of Canada, which is releasing its own Report of Findings.