The Federal Trade Commission announced yesterday that it had settled its case with VTech Electronics over a 2015 security breach that left the personal information of millions of children exposed. Hackers gained access to the company’s main server which contained information on almost five million parents and six million children around the world. The popular toy company, which makes electronic learning products, agreed to pay the FTC $650,000 in fines for allegedly violating the Children’s Online Privacy Protection Act (COPPA) and failing to secure the data of their users.
Along with names, emails, passwords, and download histories, the hackers were also able to download approximately 190 GB of photos from VTech’s Kid Connect app, which is an app that lets kids get online to connect with other VTech users. The majority of the images are believed to be headshots users could send through the chat app, meaning hackers could potentially have access to countless photos of kids without permission from the child or their parents. According to BBC News, “almost 650,000 children downloaded the app and used it in conjunction with VTech’s educational toys.”
When the FTC discovered the security violation, it filed an official complaint against VTech for “failing to take reasonable steps to secure the data it collected.” The complaint also alleges that VTech misled users with its privacy agreement, as the company stated that its gaming and chat platforms Learning Lodge and Planet VTech encrypted the personal information of users. However, the FTC found that the information had not been encrypted.
“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen in a statement. “Unfortunately, VTech fell short in both of these areas.”
Along with paying the $650,000 to the FTC, VTech must also establish a “comprehensive data security program” that will be subject to independent audits for 20 years.