V Tech’s hack highlights reputational damage and liability

February 13, 2016 |

The internet of things is changing the way children use their toys.  Ten years ago toys were overwhelmingly self contained objects, even the electronic ones.  The extent to which they were interactive was confined to basic voice recognition features and rudimentary command responses.  Of course a huge number of toys remain “old school”; Lego, matchbox cars and the ubiquitous teddy bears.  But many are now connected to the internet.  And with an internet connection comes data security issues and hacks.  Which is what happened to VTech electronic toys which exposed data of 6.4million children, as reported in VTech hack: Data of 6.4M kids exposed.

The attack on Vtech hampered the operability of the toys over the critical Christmas period, taking services off line and not be able to registered  (see VTech hack: Parents complain of Christmas disappointment).

This has forced Vtech to provide details to its customers about what the hack attack means with FAQ about Cyber Attack on VTech Learning Lodge. which provides:

When did the Learning Lodge go back online?

Key functions of Learning Lodge and the app store for selected products went back online on Saturday, January 23, 2016 HKT.

2. What services are now back online?

Customers of Learning Lodge connected products, with the exception of InnoTV/StorioTV and some other products, are now able to securely register accounts for new products, manage their existing accounts and change passwords. The Learning Lodge app store has also re-opened for most products. For the complete list of opened services and supported products, please refer to the table.

3. What can I expect to see when I connect back to the Learning Lodge?

For existing Learning Lodge customers using the Download Manager installed on a PC/Mac:

  • Your Learning Lodge program will be automatically updated and installed on your computer
  • You will be asked to change your password
  • You also need to provide a parental consent for data collection from your children

For InnoTab/Storio MAX customers with an existing Learning Lodge account:

  • You need to access “Parental Control” for a firmware update
  • You will be asked to change your password
  • You also need to provide a parental consent for data collection from your children

4. Can I delete my Learning Lodge account?

Yes. You can use either the Learning Lodge program or a web browser to do so. Please refer to the Learning Lodge download webpage of your region for detailed information. However, VTech will need to keep a copy of your account data for a time in order to be able to respond to potential legal inquiries regarding the breach. But VTech will not access or process that data other than to respond to such inquiries.

5. Can I register a new product on Learning Lodge account?

With the exception of InnoTV/StorioTV and some other products, customers of Learning Lodge connected products can now register their new products securely. For the complete list of supported products, please refer to the table.

6. Can my product use the app store now?

Please check here to see if Learning Lodge is available for your product.

7. When will the app store for the remaining products be back online?

The app store for the remaining products is expected to be back online in February. We apologise for the continued inconvenience.

8. What about Kid Connect?

Kid Connect remains suspended at this time. We apologise for the continued inconvenience. We are working as fast as we can to bring it back online.

9. What about PlanetVTech and other suspended websites?

PlanetVTech will not be re-opened. We currently have no plan to re-open the other websites and services.

10. I have heard that there was a data breach on a VTech website – can you confirm if this is true?

While the forensic investigation is still underway, the information we currently have indicates that on or about November 14, 2015 HKT an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database, the PlanetVTech website, and Kid Connect servers. Learning Lodge allows our customers to download learning games, e-books and other educational content to their VTech products. Kid Connect is a service that allows children and parents to exchange voice and text messages, photos, drawings and fun stickers between VTech tablets, DigiGo and parents’ smartphones. PlanetVTech was a website that provided interactive games for children.

11. What website was affected?

VTech’s Learning Lodge app store customer database was affected and servers of PlanetVTech and Kid Connect accessed. As a precautionary measure, we have suspended Learning Lodge, the Kid Connect service and the following websites temporarily on November 29, 2015 HKT whilst we conduct a thorough security assessment.

  • www.planetvtech.com
  • www.lumibeauxreves.com
  • www.planetvtech.fr
  • www.vsmilelink.com
  • www.planetvtech.de
  • www.planetvtech.co.uk
  • www.planetvtech.es
  • www.proyectorvtech.es
  • www.sleepybearlullabytime.com
  • de.vsmilelink.com
  • fr.vsmilelink.com
  • uk.vsmilelink.com
  • es.vsmilelink.com

12. When did you find out about the breach?

We received an email from a journalist asking about the incident on November 23, 2015 EST. After receiving the email, we carried out an internal investigation and on November 24, 2015 detected that some irregular activity took place on our Learning Lodge website on or about November 14, 2015 HKT. Our investigation confirmed on November 26, 2015 HKT that a breach had occurred. We immediately began a comprehensive check of the affected sites and are taking thorough actions against future attacks.

13. When did you inform customers and the public about the incident?

  • After confirming the facts surrounding the unauthorized access to our customer database, we published a statement on our global website on Friday, November 27, 2015 HKT outlining the details of the data breach. On the same day, we sent email notification of the incident to all affected Learning Lodge and Kid Connect account customers.
  • We published a second statement on Monday, November 30, 2015 HKT.
  • A third press release with additional information was published on Thursday, December 3, 2015 HKT.
  • A fourth statement about the re-opening of Learning Lodge was published on Monday, January 25, 2016 HKT.

14. How many customers are affected?

Our Learning Lodge, Kid Connect and PlanetVTech customers are affected. Here are the details:

a. Learning Lodge

In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected. Among those approximately 6.3 million kid profiles, approximately 1.2 million of them have Kid Connect service enabled. Kid profiles only include name, gender and birthdate.

b. PlanetVTech

There are 235,708 parent accounts and 227,705 kids’ profiles in PlanetVTech.

15. Could you provide a breakdown of number of people affected by each country?

According to our current information, the breakdown of Learning Lodge customers by country is as follows:

Country Parent Accounts Child Profiles
United States 2,212,863 2,894,091
France 868,650 1,173,497
United Kingdom 560,487 727,155
Germany 390,985 508,806
Canada 237,949 316,482
Others 168,394 223,943
Spain 115,155 138,847
Belgium 102,119 133,179
Netherlands 100,828 124,730
Republic of Ireland 40,244 55,102
Latin America 28,105 36,716
Australia 18,151 23,096
Denmark 4,504 5,547
Luxembourg 4,190 5,014
New Zealand 1,585 2,304

16. How did the hacker get into your database?

We are currently investigating how the hacker was able to access the database. What is clear is that this was a criminal act and a well-planned attack. Our Learning Lodge, Kid Connect and PlanetVTech databases have been attacked by a skilled hacker. Upon discovering the breach, we immediately began a comprehensive check of the affected sites and are taking thorough actions against future attacks. Based on our latest investigation, all other VTech online sites have not been affected.

17. It is reported that the UK police has arrested a 21-year-old man in connection with the hacking. Do you have any comment to make?

As the investigation is on-going, other than the information announced by the South East Regional Organised Crime Unit (SEROCU) in the UK, there is no further information available at the moment.

18. What kind of information is in the databases?

  • Our databases contain Learning Lodge and Kid Connect data with details listed below:
    a. Learning Lodge– Parent account information including name, email address, secret question and answer for password retrieval, IP address, mailing address, download history, history of device purchases, and password.– Kid profiles created by parents, including child’s name, gender and birthdate.

    – Progress logs to track kids games, for parents’ reference.

    b. Kid Connect

    – Parent account information including email address and password, and parent and child profile photos and user names.

    – Kid Connect chat and voice messages and photos (sent by kids or parents).

    – Bulletin board postings made by parents and their children.

    c. PlanetVTech

    – Parent account information including name, email address, secret question and answer for password retrieval, mailing address, history of device purchases, and password.

    – Kid profiles created by parents, including child’s name, avatar name, password, gender and birthdate.

    – Game score.

  • Our databases do not contain any credit card or debit card or other financial account information. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
  • Our databases do not contain ID card numbers, Social Security numbers, driving license numbers or similar data.

19. Was any credit card information stolen?

No, our Learning Lodge website database does not contain any credit or debit card or other financial account information, and VTech does not process or store any customer credit or debit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.

20. Why do you need to retain this customer information?

Learning Lodge allows our customers to download learning games, e-books and other educational content to their VTech products. Customers need to set up an account for such transactions. The information is used to identify the customer, market our content and track their downloads.

21. Is there anything I can do to better protect myself?

We are advising you to immediately change your passwords and secret questions and answers on any other sites or services that may use the same password or secret question and answer as those formerly used on Learning Lodge or PlanetVTech. When you log in to the re-opened Learning Lodge site, you will be asked to create a new password.

22. What are VTech doing to protect data stored on Kid Connect?

The Kid Connect service has been temporarily suspended. We are reviewing our security protocols and will delete all Kid Connect bulletin board contents and unsent messages before we restart the service.

23. Have VTech informed their customers?

Yes, we have communicated the breach with our customers and the general public. We have posted statements and press releases on our website. We will add additional notices when appropriate.

Email has been set up to handle any enquiries as follows:

24. Have VTech reported the case to any authorities? Are you being investigated?

We have appointed data security legal specialists who are liaising with local authorities, including law enforcement agencies investigating the hacking incident.

The problems for VTech have not lessened with a significant community backlash against it as reported in Parents urged to boycott VTech toys after hack and a disasterous interview as seen VTech press officer halts hack attack interview which provides:

Last year the hi-tech toy company VTech was hacked, resulting in millions of children’s accounts being compromised.

The BBC’s technology correspondent Rory Cellan-Jones sought to question one of the firm’s managers about the impact on its reputation at the London Toy Fair in January.

However, a press officer for the firm intervened.

Without doubt the press officer turned a difficult interview into a PR train wreck.

Since November last year VTech has been having one bad day in Black rock after another.  Ultimately it is a self inflicted wound which VTech has made worse by its poor follow up.  It will no doubt be a case study in universities in the near future, in what not to do.

As is commonly the case once the breach is discovered, its impact felt and the publicity grows in comes the regulators.  In the UK the Information Commissioner’s office has weighed in stating that VTech’s terms and conditions do not absolve it of it being responsible for keeping data secure as reported in VTech ‘is responsible’ for kids’ data says UK watchdog.  As the Information makes clear data breaches have a reputational impact. Especially so for those whose business model is geared to internet sales and who focus on tech savvy customers, old and young.  The ICO recently made this point in Your reputation is at risk if you don’t keep data safe, ICO warns which provides:

Companies that fail to keep personal data safe risk long-lasting reputational damage that can impact on the future success of the business, according to the Information Commissioner.

Christopher Graham’s comments are backed up by a YouGov poll which shows that nearly eight out of ten people would think twice about giving their custom to an online company that had made headlines for failing to stop a data security breach.

Speaking at the Advertising Association’s leadership summit tomorrow (Thursday 28 January) Mr Graham will say that ICO fines of up to £500,000 for breaching the Data Protection Act are a powerful deterrent, but the negative impact created by media coverage of a penalty can have a greater impact than the fine itself.

Mr Graham will say:

“Companies that play fast and loose with people’s personal information risk the wrath of the ICO and that means fines of up to £500,000.

“A heavy fine is bad enough, but the time, energy and money it takes to rebuild customer confidence can be as severe a punishment as the fine itself.”

The YouGov poll was commissioned by the ICO to mark European Data Protection Day. It showed 20 per cent of people would definitely stop using a company’s services after hearing news of a data breach, while 57 per cent would consider stopping. Only eight per cent said the coverage would make no difference and 14 per cent said they didn’t know.

Mr Graham said:

“The knock on effect of a data breach can be devastating for a company. Getting hit with a fine is one thing, but when customers start taking their business – and their money – elsewhere, that can be a real body blow.”

Keeping personal data secure is just part of the picture. Some 95 per cent of people polled by YouGov said it was very or fairly important that companies were clear from the outset about how their personal information would be used. And 94 per cent deemed it very or fairly important that their information was not shared with other companies.

Mr Graham said:

“It is clear that people care about what happens to their personal information. Getting it right is not only an obligation under law, but it should be central to an organisation’s reputation management.” 

One would have thought what the Information Commissioner said was unremarkable and taken to heart by business.  Wrong.  Proper data security measures are the exception not the rule in Australia.  Compliance with the Privacy Act is patchy.  Poor regulation has made it thus.

One Response to “V Tech’s hack highlights reputational damage and liability”

  1. V Tech’s hack highlights reputational damage and liability | Australian Law Blogs

    […] V Tech’s hack highlights reputational damage and liability […]

Leave a Reply