VTech to Pay FTC $650k Over Kids Privacy Violations in Connected-Toy Hack

Two years after it was cited for security and privacy violations in its connected toys, VTech Electronics Ltd. has been fined by the U.S. government for violations of a federal law protecting children’s online privacy.

The Hong Kong-based company has agreed to pay the U.S. Federal Trade Commission (FTC) $650,000 for allegedly violating kids’ privacy laws after an investigation over a cyber attack that happened in 2015. The commission on Tuesday ordered the company to pay the fine within a week’s time.

The case stems from a 2015 data breach that hit the company’s Learning Lodge Navigator online program, exposing personal information of 5 million customers—more than half of whom were children. A hacker broke into Vtech’s systems and took data from users who had registered accounts on the Learning Lodge app store. The attack also affected users of the Kid Connect app and the now defunct Planet VTech gaming and chat platform.

The Department of Justice subsequently brought suit against VTech on the behalf of the FTC for an alleged violation of the Children’s Online Privacy Protection Act (COPPA). The FTC alleged that VTech collected personal information of hundreds of thousands of children without providing direct notice to their parents or asking for their consent.

VTech is paying the price to the tune of $650 million to the FTC for a data breach in 2015 that leaked the personal data of 5 million users of its Learning Lodge connected platform for children.

Information collected included children’s first and last names, e-mail addresses, dates of birth, and genders. The FTC also said that while VTech allegedly stated in its privacy policy that such data would be encrypted, it actually wasn’t.

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” Acting FTC Chairman Maureen Ohlhausen said in a statement on the commission’s website. “Unfortunately, VTech fell short in both of these areas.”

However, agreeing to a settlement does not mean that the company is acknowledging any wrongdoing, VTech said in a statement. “Although VTech has agreed to this settlement to address these long-resolved issues, VTech does not admit any violations of law or liability,” the company said.

No matter, VTech Chairman and Group CEO Allan Wong said the company has appropriately updated its data security policy and “adopted rigorous measures to strengthen the protection of our customers’ data.” VTech also has addressed the technical notice and consent issues under COPPA, he added.

You can read more about the breach, allegations and settlement over at Infosecurity.

Comments are closed.