Troy Hunt, who runs a service that alerts consumers to data breaches, reviewed information provided to the tech-site Motherboard by the alleged hacker and found that it was possible to link the stolen data about kids back to their family's last name and home address. Shares in VTech were suspended from trading early Monday but resumed later in the day.
Privacy advocates warn that the VTech incident may be one of many online breaches that will involve children. Companies are increasingly producing and marketing high-tech toys that link dolls and games to the Internet — as well as information about the kids playing with them. But the V-tech breach shows this data isn't always being guarded well.
"Toy companies are rushing to cash in on the changing nature of childhood in the Big Data era, where Internet connected toys are linking children to a vast surveillance network," said Jeffrey Chester, executive director of the Center for Digital Democracy. "These playthings can monitor their every move, turning what should be innocent and pleasurable experience into something potentially more sinister."
VTech sells popular toys mainly for very young toddlers, including its "Sit-to-Stand Learning Walker," "Baby's Learning Laptop," and "Kidizoom Smartwatch DX." The breach involved data collected by its Learning Lodge app store, where customers could download games and educational programs for some toys. The company took down the Learning Lodge Web site and as of Monday, consumers could only see a message: "Due to a breach of security on our Learning Lodge website, we have temporarily suspended the site."
VTech is hardly the only company going high-tech. This holiday season, Fisher-Price has been hawking its Smart Toy Monkey as an "interactive learning buddy" that "talks, listens and remembers what your child says." The company states on its Web site that "we never send voice data over the Internet." The toy, however, checks a "secure server each day to see if there are new activities for your toy to learn" and remembers how engaged a child is with each activity.
"We take reasonable measures to protect personal information in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration and destruction," it reads. "Please be aware, however, that despite our efforts, no security measures are perfect or impenetrable and no method of data transmission that can be guaranteed against any interception or other type of misuse."
All to often, companies are rushing to add connectivity to their products without taking the security and privacy implications into account. Many toys are likely already vulnerable to data breaches, but have gone under the radar because attackers haven't figured out how to make money from hacking them yet, said Tyler Shields, a principal analyst focused on digital security at Forrester Research. He said he expects that to change rapidly.
"The concept of a standalone product is fading away — even something as simple as a toy is transitioning to the idea of a service where you get an internet connected device," he said. "As we see an explosion in Internet connected device we are going to see an explosion of attacks targeting those devices."
Chester said he alerted the Federal Trade Commission to the VTech incident over the weekend, hoping it will open an investigation into the company for violating the Children’s Online Privacy Protection Act, or COPPA — a law designed to help protect the privacy of kids under age 12.
The agency declined to weigh in on the specific incident. “FTC investigations are non-public and we do not comment on an investigation or the existence of an investigation," a spokesperson said.
If the agency were to investigate VTech, that investigation may be complicated by the international nature of the breach: The company is based in Hong Kong and it affected consumers from countries across the globe.