VTech Electronics Limited has agreed to pay $650,000 as part of a settlement agreement with the Federal Trade Commission (FTC) for a 2015 breach that exposed millions of parents’ and children’s data.

On 8 January, the United States District Court in the Northern District of Illinois (Eastern Division) processed an action (PDF) by which the FTC will obtain $650,000 in monetary penalties from VTech, a Hong Kong-based electronic toys manufacturer.

The payment is part of a settlement agreement for a security incident that occurred back in November 2015 when an unauthorized party obtained VTech customer data housed in Learning Lodge, a platform which allows customers to download child-based games, apps, and other content. The breach, which VTech confirmed in a statement shortly thereafter, exposed the names, email addresses, encrypted passwords, mailing addresses, and other information of 4,833,678 parents who bought products from the company. It also compromised the names, genders, and birthdays of at least 200,000 kids along with photographs of the children and chats they had with their parents.

For expert commentary on the breach, listen here.

An investigation into how the incident occurred reveals VTech violated the Children’s Online Privacy Protection Act (COPPA), a rule which imposes requirements for operators of websites that collect information from children under 13 years of age. It did so in not linking to is Privacy Policy wherever parents submitted their children’s information to register for Kids Connect, a communications service which necessitates parents first sign up with Learning Lodge. Furthermore, VTech failed to include specific disclosures of data collection in its Privacy Policy as mandated by COPPA, and it neglected to implement proper data security measures that could have protected customers’ and their children’s personal information.

Lastly, the company misled customers about its use of encryption to protect their PII (Read more...)