A toy company says it’s not responsible for future data breaches, just months after 6.3 million children’s profiles on its websites were hacked.
VTech, a Hong Kong-based company that makes e-learning toys, is under fire from privacy experts and parents alike after it changed its terms and conditions following a massive security in November that left millions of parents and children exposed.
On Nov. 27, VTech, which makes interactive toys such as tablets, toy cars and smart watches, warned customers that a hacker had accessed customer data on Learning Lodge, the PlanetVTech website, and Kid Connect servers.
The hack occurred on Nov. 14, the company says on its website.
New terms and conditions, shown to customers in the U.K. and Australia and made public by Australian data security specialist Troy Hunt, warn parents that they assume the risk in the case of any future data breach: “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties,” the new terms and conditions read.
“You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk.”
“You can sort of tell a lot about an organization by how they respond to these incidents,” says Hunt, a parent.
Hunt accused the company of trying to shirk its responsibilities to its customers.
Hunt, who tracks data breaches on his own site haveibeenpwned.com, learned about the hack from Motherboard journalist Lorenzo Franceschi-Bicchierai, who first reported about the breach.
After looking at the data, and looking into the site’s security, Hunt said he was astounded at the lack of protection.
He ranks the VTech hack as the seventh largest data breach to date, after Adobe in 2013 and Ashley Madison last year.
Hunt said he found no evidence that the company used encryption, a common best-practice that renders readable text illegible to digital eavesdroppers. Hunt also found that passwords were weakly protected, and that the website leaked data.
About 6.3 million kids’ profiles were affected, including about 316,500 profiles in Canada.
The profiles contained the name, gender and birthdate of the children, and some contained photos and messages.
Credit card information was not exposed.
VTech maintains it is doing everything it can, and that the hack was a sophisticated attack on its customers.
“Our Learning Lodge, Kid Connect and PlanetVTech databases have been attacked by a skilled hacker,” the company says on its website.
“Upon discovering the breach, we immediately began a comprehensive check of the affected sites and are taking thorough actions against future attacks.”
VTech has apologized for the breach, but told the BBC its new terms and conditions are par for the course in the digital age.
“Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information,” a spokeswoman told the BBC.
“But no company that operates online can provide a 100-per-cent guarantee that it won’t be hacked. The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognize that fact by limiting the company’s liability for the acts of third parties such as hackers. Such limitations are commonplace on the web,” the VTech spokeswoman told the BBC.
Hunt, who has a three-year old and six year-old, said he won’t use VTech products in the future because of how the company has tried to avoid liability, and others have called for a boycott.
“They just simply can’t be trusted,” Hunt said.
Asked about this, VTech Hong Kong’s communication officer Rachel Cheung told the Toronto Star the company has remedied any security issues that led to the attack.
“We’ve taken a lot of measures to enhance our data protection,” Cheung said. “Since the Learning Lodge has reopened, we haven’t had any problems.”
It’s unclear if the terms and conditions have changed worldwide, or only in some jurisdictions.
In Canada, the wording appears less strong, but the company still waves responsibility for security.
“VTech expressly disclaims any warranty that the Web site or your access to it will be uninterrupted, continuous, error-free or secure.”
“We have been in contact with the company with regard to the breach and our discussions with them are ongoing,” said spokesperson Valerie Lawton.
— with files from Laura DaSilva