View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 11, 2016updated 04 Sep 2016 10:21pm

VTech faces backlash after naming parents responsible for future data breaches

News: VTech fails to answer history’s largest data breach on children, cybersecurity expert says.

By Joao Lima

Following a mass scale cyber attack that affected over 6.3 million children’s accounts last year, experts have made fresh warnings on electronic learning provider VTech.

The Hong Kong based toymaker was last November the target of a large scale cyber attack that exposed the accounts of over 6.3 million children across at least 16 countries, including the UK, where 727,155 accounts were breached.

Attackers gained insights into the accounts and were able to access names, ages, genders, photos and children’s relationships to their parents and where they could be located.

VTech has released new terms and conditions, however, experts believe it has failed to address the issue correctly.

In section seven, limitation of liability, it reads: "You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.

"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.

"You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk."

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The new terms were spotted by Troy Hunt, an Australian security specialist who admitted in a blog post that the above term has given him "a really hard time fathoming".

A spokeswoman told the BBC that since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information.

She said: "But no company that operates online can provide a 100% guarantee that it won’t be hacked.

"The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company’s liability for the acts of third parties such as hackers.

"Such limitations are commonplace on the web."

After the attack, VTech said that FireEye’s Mandiant Incident Response services and its cyber forensic teams, were assisting the group in its response to the cyber attack to strengthen the security of its systems.

The company’s CEO, Allan Wong said he was "deeply shocked" and offered his "sincere apologies for any worry caused by this incident".

Hunt said: "In an era where major incidents such as Ashley Madison and TalkTalk were front page news in the mainstream press, VTech continued to run a service with such egregious security flaws as the SQL injection risk the hacker originally exploited, unsalted MD5 password hashes, no SSL encryption anywhere, SQL statements returned in API calls (it’s actually in the JSON response body of my post above) and massively outdated web frameworks."

Pat Clawson, CEO of the Blancco Technology Group, said that the VTech response was a perfect example of what not to do following a data breach. He said:

"When a data breach happens, most companies will make modifications to their Terms and Conditions. But what VTech is doing is a perfect illustration of what companies should not do – putting the burden of responsibility on the users, instead of the company itself. It’s not only a bad business practice, but it’s also taking the implied stance that as a company, VTech doesn’t understand the importance of managing data holistically across the entire lifecycle. Based on the change VTech made to its T&C, I would proffer that the company’s internal IT staff view data in terms of its position within physical assets, such as a website, a computer, a server or a mobile device.

"Their entire business model is based on selling their core product – electronic learning toys for children. And parents are the ones with the income to buy VTech products for their children. What parent would feel even remotely comfortable buying a toy from a company that blatantly and unapologetically tells them they shouldn’t have any expectation of privacy? They are going to have a very difficult time scaling their business with these updated terms and conditions."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.