Toymaker Hack Highlights Dark Side of Tech Industry’s Data Obsession

Technology Security

In-brief: The hack of VTech, a maker of technology products for children, has exposed sensitive data on hundreds of thousands of children, the company acknowledged this week. Also exposed: the toy industry’s growing and unregulated appetite for information on the children who play with their toys.

The hack of VTech, a maker of technology products for children, has exposed sensitive data on hundreds of thousands of children, including photos, voice recordings and personally identifying information, the company acknowledged this week.

The hack, which was first reported by the web site Motherboard, is raising alarms about the security practices of firms selling Internet connected consumer devices even as it highlights the hidden costs of the technology industry fad for business models that emphasize the collection and storage of massive troves of customer data.

In a statement on Monday, VTech acknowledged that an “unauthorized party” accessed VTech customer data housed on an online database associated with the company’s “Learning Lodge” mobile application store. The hack occurred on November 14, 2015 and was discovered by VTech on November 24th, the company said. Information on approximately 5 million customer accounts and related children was exposed, VTech said.

According to the company, the customer database contained “user profile information” including the customers’ names, email addresses, passwords, secret question and answer pairs for password retrieval, as well as mailing addresses, IP addresses and a history of their downloads. The compromised database also stores “kids information” including their names, genders and birthdates.

VTech, a firm that makes kid-focused mobile devices, suffered a data breach, exposing data on some five million consumers.
VTech, a firm that makes kid-focused mobile devices, suffered a data breach, exposing data on some five million consumers.

The company has notified customers and taken 13 separate, product-and language specific websites offline in the wake of the hack, including planetvtech.com, sleepybearlullabytime.com and others.

Not mentioned by VTech thus far are photos and voice recordings of both children and adults who used VTech products. Those were also exposed in the breach, according to a follow-on report by Motherboard on Monday.

The breach – coming at the start of the holiday shopping season – seems destined to set off debate about privacy and security protections in connected toys. Security experts were quick to note that the source of the breach – an application vulnerability known as SQL injection – is one of the most common and oft-noted vulnerabilities in web based applications.

VTech customers took to social media over the weekend to air their anger and concern. A Twitter user named George Murray (@gmurr90), of Scotland, UK, wrote on Saturday that he had been reluctant to enter his information and that of his daughter, but “was required to in order to activate my daughter’s Innotab.” Now his and his daughter’s information “are being shared on the net like it’s nothing,” Murray vented.

“This breach is another sad example of a company ignoring some very basic application security best practices. Why are websites still vulnerable to SQL injection today? The industry has known about this for decades,” wrote Chris Eng, the Chief Marketing Officer at the security firm Veracode, in an e-mail statement.

Makers of connected products for the consumer market are not taking security seriously enough, Eng said. Increasingly, toy makers are among that group. “Toy manufacturers don’t have the rigor around secure development that’s needed in today’s environment and are inevitably going to fall short on security,” he wrote.

That eagerness to harvest customer data and a corresponding lack of attention to security and privacy reflects the business environment within the toy industry, itself, says Ted Collins, the Chief Technology Officer of the firm Playrific.com, which makes a mobile application development platform that is used by toy makers.

VTech and other toy makers are struggling to find a way to make money in a competitive marketplace with short product development cycles. Mobile applications, which looked promising two or three years ago, have not turned into the cash engine that toy makers expected. Now the emphasis is on making devices that kids clamor to own, and collecting data from those devices for use developing follow-on products, or even to pass along to advertisers, said Collins.

“As the feeding frenzy about how make money continues, the idea of selling data has occurred,” he said.

Within the industry, VTech is known as one of a small handful of top tier firms making educational and entertainment products for kids, said Beth Marcus, the CEO of Playrific.

The Hong Kong firm initially positioned itself as a less expensive alternative to U.S. based competitors like Leapfrog, but has leapfrogged that company and others in recent years by paying close attention to what its customers want, offering tablets, smart watches and other high tech gear tailored to young children, Marcus said.

But security and privacy protections are rarely features that parents – let alone kids- look for when purchasing, said Collins. Kids want features – like built in cameras – that they see on devices that grown ups and siblings are using. And adults were raised “in an era before all this technology existed and all this data was being collected,” making them less wary than they should be of how the devices might be used or abused, Collins said.

The mass collection of data including photos, personal information and download history could create a range of privacy and even safety issues for children whose information has been leaked, Collins said.

Another problem is that Federal laws that protect children’s privacy in the U.S. have not kept pace with technology, he said. The Children’s Online Privacy Protection Act (COPPA) was initially passed in 1998, before the widespread use of connected toys and cloud based applications. Today, such laws are hamstrung by national borders, leaving vendors like VTech – with customers in countries around the world, headquarters in Hong Kong and servers located in China and elsewhere- mostly immune to COPPA’s provisions.

“This is a situation where all the players want to do the right thing for kids,” Collins said. “The issue is getting the rules right and adopting the right mentality.”

One Comment

  1. HACKERS SHOULD BE GIVEN A MANDATORY SENTANCE….WHEN CAUGHT.ENOUGH ALREADY with hackers targeting children….In the far East they get their point accross when they chop off a arm….Global acceptance of a mandatory sentence everywhere would get Hackers attention everywhere!!!!!!!