It has not been a good year for children's privacy.
On Nov. 14, digital thieves breached two services at toy maker VTech, compromising the company's Learning Lodge app store and Kid Connect servers and accessing information on more than 6.3 million kids and their 4.8 million parents.
While parents' accounts included names, email and IP addresses, password retrieval information, mailing addresses, download history and encrypted passwords, most of the children's data consisted only of their name, gender and birth date. In some cases, however, photos and unsent messages may have been stored as well, the company said in a statement.
"Upon discovering the breach we immediately conducted a comprehensive check of the affected sites and are taking thorough actions against future attacks," the statement said. "The investigation continues as we look at additional measures to strengthen our Learning Lodge database and Kid Connect security."
The breach has forced the Hong Kong-based toy firm to refocus on securing data. Yet, VTech is not the only company to fall afoul of privacy issues. Toy maker Mattel received loud criticism earlier this year for its marketing of Hello Barbie, a version of the well-known doll that converses with a child, but also sends the conversations to a third party for processing—and alleged data mining—and which apparently has wireless flaws that could allow a hacker to eavesdrop on the conversation as well.
Privacy advocates are also leery of major companies' educational services and how much data they are collecting on young students. On Dec. 1, the Electronic Frontier Foundation filed a complaint with the U.S. Federal Trade Commission alleging that Google had violated its own privacy pledge by collecting information on students through the syncing service on Chromebooks sold or provided to schools.
Along with Apple, Microsoft and 100 other school-service providers, Google has signed the Student Privacy Pledge, in which the companies promised to not collect, use or share students' information without parents' permission or for legitimate educational purposes.
Google stressed that it continues to abide by the pledge and that the data from Chromebooks is only used to allow students to save their settings and, as anonymous data, to improve the service. The two organizations that authored the pledge agreed with Google's interpretation, not the EFF's complaint.
However, the incident, along with the VTech breach and Mattel's Barbie missteps, highlights the privacy problems that manufacturers and online service providers will increasingly have to solve. As the Internet of things increasingly intersects with toys and children's games, privacy issues will become more acute, Jason Hart, vice president of cloud solutions and data protection at Gemalto, told eWEEK.