Anything can be hacked. Even toys. Toy manufacturer VTech found this out the hard way late last year when its network for children’s tablets was hacked. Most unnervingly, this included photographs and voice recordings of children playing with the device. The perpetrator of the hack allegedly carried out the attack to teach the company a lesson about cybersecurity and hope that it straightens up.
At least it should have learned something anyway. The attack showed that the company was securing its data with outdated protocols and FireEye was hired to clean the mess up. And in the last few weeks, VTech’s ugly brush was bad publicity seemed to have died down until it emerged that the company had made some unflattering changes to its terms and conditions for European customers.
Crucially, the company attempted to absolve itself of any blame or responsibility for its customers’ data. It stated: “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.
“Use of the site and any software or firmware downloaded therefrom is at your own risk.”
VTech appeared to be covering its tracks in case anything ever went wrong in the future. A spokesperson for Vtech said that the updates are “limiting the company’s liability for the acts of third parties such as hackers … Such limitations are commonplace on the web.”
Unfortunately for the company, that doesn’t look like it’s going to fly with lawyers wading into the debate over liability. One lawyer said that language like this in terms and conditions can be used to discourage customers from taking legal action but that is not the true.
“[U]nder European and UK law the obligation is on the company in control of the data to take appropriate steps to protect the information from unauthorized disclosure or access,” he said. “Even if VTech did try and argue that people were contractually prohibited from bringing a claim, it is a difficult position for the firm to take.”
The UK’s information commissioner agrees. Its office came down hard on VTech this week for its shrewd update to the terms and conditions as well, stating that company would very much remain responsible for the data, at least in the UK.
The move has many of VTech’s distributors scratching their heads too wanting to know where it stands legally as far as data protection is concerned. British retailer Argos told the BBC that it is in ongoing talks about how to proceed in dealing with the company.
That’s the business end of things but what about the customers then? Cybersecurity professionals are none too pleased with how VTech handled its customers’ data and how it responded. Some are now encouraging parents to boycott the company.
Troy Hunt, an Australian security expert, wrote a severe blog post last week excoriating the company. He called the T&Cs update unacceptable. “People don’t even read these things!” he said. “If they honestly don’t feel they’re not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the “zero accountability” clause.”
“If VTech think that those T&Cs are the answer to their problems I think they should be given a bigger problem to deal with. Boycott them and take your money somewhere else,” added Ken Munro of security firm Pen Test Partners.
In a follow up post this week Munro pointed out that VTech could find itself running afoul of the EU’s new data protection rules, the General Data Protection Regulation, of GDPR.
Granted, the rules don’t come into effect until 2018 but they state that any company collecting data on Europeans will be required to put minimum protection mechanisms in place. The rules may be two years away but this is intended to give companies a chance to get in line or face hefty fines based on their turnover.
“So VTech, you have two years to get your house in order, otherwise you’ll get the sort of fine you deserve for your cock-up: €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater,” said Munro.
VTech’s security woes may have garnered a lot of attention but they’re not even unique and are just the latest in a string of attacks and security vulnerabilities targeted different industries. Children’s toys are just the newest one.
Late last year, a security researcher discovered that Wi-Fi enabled Barbie dolls could be breached and used to record conversations. Meanwhile, Hello Kitty was hacked a couple of months ago, exposing details of more than three million customers. Regardless of whether or not the VTech hackers were as noble as they claim, one thing is clear: the toy industry has a lot to learn about security and privacy.