The Washington PostDemocracy Dies in Darkness

Toymakers are tracking more data about kids — leaving them exposed to hackers

VTech Kidizoom Smartwatches on display at a toy store Monday. (Tyrone Siu/Reuters)
Placeholder while article actions load

As toys go high-tech, hackers are zeroing in on a particularly vulnerable target — children.

VTech, a Hong Kong-based company that sells baby monitors and digital learning toys such as children's tablets, announced over the weekend that the data for 5 million "customer accounts and related kids profiles worldwide" were compromised as part of a cyberattack. The stolen data included names and birth dates of kids, mailing addresses and e-mail addresses, as well as what e-books, learning games and other software were downloaded to toys, the company said in a statement posted online. Credit card information and Social Security numbers were not breached.

Troy Hunt, who runs a service that alerts consumers to data breaches, reviewed information provided to the tech-site Motherboard by the alleged hacker and found that it was possible to link the stolen data about kids back to their family's last name and home address. Shares in VTech were suspended from trading early Monday but resumed later in the day.

Privacy advocates warn that the VTech incident may be one of many online breaches that will involve children. Companies are increasingly producing and marketing high-tech toys that link dolls and games to the Internet — as well as information about the kids playing with them. But the V-tech breach shows this data isn't always being guarded well.

"Toy companies are rushing to cash in on the changing nature of childhood in the Big Data era, where Internet connected toys are linking children to a vast surveillance network," said Jeffrey Chester, executive director of the Center for Digital Democracy. "These playthings can monitor their every move, turning what should be innocent and pleasurable experience into something potentially more sinister."

VTech sells popular toys mainly for very young toddlers, including its "Sit-to-Stand Learning Walker," "Baby's Learning Laptop," and "Kidizoom Smartwatch DX." The breach involved data collected by its Learning Lodge app store, where customers could download games and educational programs for some toys. The company took down the Learning Lodge Web site and as of Monday, consumers could only see a message: "Due to a breach of security on our Learning Lodge website, we have temporarily suspended the site."

VTech is hardly the only company going high-tech. This holiday season, Fisher-Price has been hawking its Smart Toy Monkey as an "interactive learning buddy" that "talks, listens and remembers what your child says." The company states on its Web site that "we never send voice data over the Internet." The toy, however, checks a "secure server each day to see if there are new activities for your toy to learn" and remembers how engaged a child is with each activity.

The new "Hello Barbie," a doll that uses artificial intelligence to learn about children and carry on real-time conversations, was released this month — raising alarm bells for some consumer protection watchdogs. Mattel and ToyTalk, the company behind the doll's voice features, have gone to great lengths to assure customers that information the doll collects will be safeguarded. But even the doll's privacy policy acknowledges that they cannot promise the data will stay private.

"We take reasonable measures to protect personal information in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration and destruction," it reads. "Please be aware, however, that despite our efforts, no security measures are perfect or impenetrable and no method of data transmission that can be guaranteed against any interception or other type of misuse."

[The big deal in toys this year? They play back.]

All to often, companies are rushing to add connectivity to their products without taking the security and privacy implications into account. Many toys are likely already vulnerable to data breaches, but have gone under the radar because attackers haven't figured out how to make money from hacking them yet, said Tyler Shields, a principal analyst focused on digital security at Forrester Research. He said he expects that to change rapidly.

"The concept of a standalone product is fading away — even something as simple as a toy is transitioning to the idea of a service where you get an internet connected device," he said. "As we see an explosion in Internet connected device we are going to see an explosion of attacks targeting those devices."

Chester said he alerted the Federal Trade Commission to the VTech incident over the weekend, hoping it will open an investigation into the company for violating the Children’s Online Privacy Protection Act, or COPPA — a law designed to help protect the privacy of kids under age 12.

The agency declined to weigh in on the specific incident. “FTC investigations are non-public and we do not comment on an investigation or the existence of an investigation," a spokesperson said.

If the agency were to investigate VTech, that investigation may be complicated by the international nature of the breach: The company is based in Hong Kong and it affected consumers from countries across the globe.