VTECH GETS WRECKED BY HACKER AND THEN FTC

Kids Tech Company Fined by Federal Trade Commission For Poor Security Restrictions

by Ian Dotson

In late 2015, VTech, a Hong Kong-based toy company known for its child-friendly gadgets, had its information databases breached by a lone hacker. As part of underground modding community (In this context, "modding" is the act of modifying hardware/software, either to perform differently or to do something differently than its original intended purpose) this hacker became quite familiar with a new toy called the "InnoTab 3," a children's consumer tablet produced by VTech. Specifically, he focused on the tablets wireless communication with the website VTech.com. Upon visiting the site, he found it was built using a largely outdated (even at the time) software called Adobe Flash Player. Flash Player was widely known in the programming world to be unsafe and quite easy to exploit if you had the right tools. Using SQL injections, a form of malicious code used to break through a site's login parameters and access a website's data, the hacker was able to access the entire database of VTech users. SQL injections are generally used to modify or steal user data. What the hacker found however was that not only was he able to access users' emails, credit card numbers, addresses, phone numbers, passwords and password questions, but he also found an enormous cache of photographs and videos of VTech users... most of them of children.

Presented with a bigger moral dilemma than just having hacked into a private company's database, the hacker made the decision to go public with his findings. The 21 year old whistleblower, now known to be a former tech security officer for Malware Bytes, contacted a reporter at a tech publication called Motherboard to expose the dangerous breach of privacy. After doing some cross-reference with other specialists in the tech community, the reporter found that the database contained the identities of nearly 200,000 children and roughly 4.8 million customer's emails and their unencrypted passwords. Though the hacker broke the story in the interest of exposing VTech's poor security, he did however break a federal law violating the UK's Federal Computer Misuse Act of 1990. (The UK's premier legal defense against hacking) This led to his eventual arrest in December of 2015.

The story doesn't end there, however. This breach of personal privacy prompted investigations, not only by the UK's federal courts, but also by the US Federal Trade Commission or FTC. This country has a complicated past when it comes to individuals' personal privacy. Edward Snowden brought to light government surveillance programs that allowed for the recording of phone calls and text discourse between potential terrorist "persons of interest." Many were outraged, stating that it violated their First Amendment Right to privacy. Now US citizens generally call for more transparency and disclosure when it comes to how their data is used/accessed. One of the FTC's principal purposes, outside of regulating Anti-Trust Laws, is the general promotion of consumer protection in the US. Also under the FTC's jurisdiction is the COPPA or Children's Online Privacy Protection Act, which gives parents control over what data websites may collect from their children. VTech, in its poor execution of security measures as well as its unlawful collection of user's private data, violated a U.S. children’s privacy law in caching the personal information of children without "providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected." FTC.gov The FTC's lawsuit, settled in 2018, saw VTech pay a fine of $650,000 for the failure to protect the privacy of children using their products. This case is significant because it marks the FTC's first case regarding children's privacy and web-connected toys.

SOURCES:

https://learn.microsoft.com/en-us/sql/relational-databases/security/sql-injection?view=sql-server-ver16

https://www.cnbc.com/2015/12/02/vtech-hack-data-of-64m-kids-exposed.html

https://www.ftc.gov/business-guidance/privacy-security

https://www.ftc.gov/news-events/news/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations-it-violated-childrens-privacy-law-ftc-act

https://www.vice.com/en/article/xygg9w/vtech-hacker-explains-why-he-hacked-the-toy-company

https://www.wired.co.uk/article/vtech-hack-arrest-uk-man

https://www.bbc.com/news/technology-35027504

https://www.bbc.com/news/technology-42620717

https://nationalcrimeagency.gov.uk