CHICAGO (CN) – The federal government said Monday that it settled the first children’s privacy case involving internet-connected toys with a Hong Kong electronics company accused of collecting personal information from millions of kids without parental consent and failing to safeguard the data against a massive cyberattack.
The Federal Trade Commission reached a $650,000 settlement the same day the Department of Justice filed a federal lawsuit in Chicago against VTech Electronics, which makes handheld devices, smartwatches and educational apps, games, videos and music.
According to the complaint, VTech violated children’s privacy laws by collecting personal information without parents’ consent and did not do enough to protect children’s sensitive information.
“In November 2015, defendants learned that a hacker had accessed their computer network, and exfiltrated the personal information of consumers, including personal information about the children who used Kid Connect,” the lawsuit states. “The hacker remotely accessed defendants’ test environment, and from there was able to traverse to the live environment, where defendants stored in clear text, among other things, parents’ full names, mailing addresses, e-mail addresses, secret questions, and children’s usernames. And although defendants stored passwords and children’s photos and audio files in an encrypted format, a database accessed by the hacker included the decryption keys for the photos and audio files, which would have allowed the hacker to access this information in a readable format.”
Children’s information was linked to their parents’ so that the hacker could tie a photo found on a kids’ account to their physical address, according to the complaint.
VTech had collected personal data from parents through its Learning Lodge Navigator, an online store for the company’s devices where users could download an app called Kid Connect. Data was also collected through a discontinued online platform called Planet VTech.
VTech spokeswoman Kaleigh Steinorth said that all copies of the hacked data were retrieved or destroyed. On Learning Lodge, close to 2.25 million parent accounts in the U.S. and almost 2.9 million related kid profiles could have been compromised, Steinorth wrote in an email.
Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection, said the internet-connected toys are part of a growing market and that parents should proceed with caution when their children play with the devices.
VTech has offices in Arlington Heights, Ill., Richmond, British Columbia, and Hong Kong, China.
The company said in a statement that it agreed to the settlement to address issues that were resolved long ago and did not admit any wrongdoing.
“We are pleased to settle this two-year-old investigation by the FTC,” said Allan Wong, chairman and group CEO of VTech Holdings. “Following the cyber attack incident, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers’ data.”
Law enforcement in England arrested a 21-year-old Bracknell man in connection with the data breach in December 2015.
A hacker reportedly tipped off the news website Motherboard about the breach. VTech was not aware of the hack until a Motherboard journalist contacted the company for comment, according to the site.
The consumer-protection agency found that the company’s security and data protection methods were inadequate and that it did not do enough to prevent and repel an attack.
The case stood out because of the high volume of children’s personal information. Identity thieves reportedly favor stealing kids’ data because of their clean credit histories, according to security experts.
The Children’s Online Privacy Protection Act requires that companies collecting personal data take reasonable precaution to protect it and get parental consent for children under 13.
The FTC and VTech said Monday that some 638,000 children were registered with Kid Connect. Close to 130,000 children’s profiles were created on Planet VTech accounts.
VTech’s data security protections and policies will be subject to review every two years for 20 years, per the settlement.