FTC Fines IoT Toy Vendor VTech for Privacy Breach

NEWS ANALYSIS: After a two-year investigation, the Federal Trade Commission settles privacy violations allegations with toy vendor, imposing a $650,000 fine.

IoT Toy Security Risk

There is a price to be paid for not properly securing technology that leads a privacy data breach. 

On Jan. 8, the U.S. Federal Trade Commission (FTC) announced that it settled with VTech Electronics over charges that it violated children's privacy law and the FTC Act. VTech will pay a fine of $650,000 as part of the FTC settlement that comes from a December 2015 data breach that exposed information on 5 million children.

"As a parent, I know raising raising digital natives comes with a host of new challenges," FTC Commissioner Terrell McSweeny wrote in a Twitter message. "This case underscores that we must remain mindful about how kids data is collected & used by toys & that toymakers must comply w/ #COPPA"

COPPA is the Children’s Online Privacy Protection Act which became a law in 1998. McSweeny noted that the VTech breach is the first FTC connected toy privacy and data security case involving COPPA. With COPPA, websites and those that operate online services directed at children have certain responsibilities in regards to the collection of personal information and privacy. 

VTech has an app called Kid Connect which is used with some of its electronic toys. It was the Kid Connect online database that was breached by attackers in November 2015. In December 2015, British law enforcement officials arrested a 21-year old main in connection with the data breach.

The root cause of the breach, by VTech's own admission, was lack of database security. The attacker was able to leverage a SQL Injection (SQLi) vulnerability in order to steal the data. Though a preventable security vulnerability was at the core of the VTech data breach, the FTC's complaint and settlement with VTech is largely focused on COPPA compliance. The FTC complaint alleges that VTech did not properly alert parents about privacy policies or that personal information was being collected from children.

"Defendants did not link to their Privacy Policy in each area of Kid Connect where personal information was collected from children," the complaint states. "Defendants did not provide a direct notice of its information collection and use practices, as required by the COPPA Rule." 

COPPA also requires that organizations take the appropriate measures for privacy data security, which is something that VTech failed to do.

"Defendants have engaged in a number of practices that, taken together, failed to provide reasonable and appropriate data security to protect the personal information collected from consumers, including children through Kid Connect," the FTC complaint states.

In addition to COPPA, VTech violated the FTC Act by falsely claiming in its privacy policy that any privacy information that was collected would be encrypted, when in fact it was not.

For its part, VTech stated that it's pleased that the two-year long FTC investigation into the 2015 data breach has now concluded.

"Following the cyber-attack incident, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers' data," Allan Wong, Chairman and Group CEO of VTech Holdings Limited stated. "We also took steps to address the technical notice and consent issues under COPPA."

VTech is certainly not the first or the last connected toy maker that has had data security issues in the last two years. In December 2015, the Hello Barbie connected toy manufactured by ToyTalk was discovered to have security issues. That same month, Hello Kitty vendor Sanrio admitted that it had a vulnerability on its community website that could have been exploited. In February 2016, Fisher-Price's Smart toy product line was revealed to have security vulnerabilities that could have potentially enabled an attacker to steal user information. In all three of those cases, the vendors were notified of the issues and were able to patch before there was a public data breach.

Though IoT connected toy security issues could potentially put user data at risk, a November 2017 survey found that most consumer don't care, and will buy a toy regardless of a security flaw.

With the VTech case, the FTC is clearly establishing a precedent that will help consumers, regardless if they care about security or not. By enforcing the FTC Act, which requires vendors to accurately state their data collection and protection practices, the U.S. Government is providing a degree of protection for consumers. If vendors claim in their privacy policies that they will keep data secure and fail to do so, the VTech case now stands as an example that there will be a price to pay.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.