VTech Electronics Limited has agreed to pay $650,000 as part of a settlement agreement with the Federal Trade Commission (FTC) for a 2015 breach that exposed millions of parents’ and children’s data.
On 8 January, the United States District Court in the Northern District of Illinois (Eastern Division) processed an action (PDF) by which the FTC will obtain $650,000 in monetary penalties from VTech, a Hong Kong-based electronic toys manufacturer.
The payment is part of a settlement agreement for a security incident that occurred back in November 2015 when an unauthorized party obtained VTech customer data housed in Learning Lodge, a platform which allows customers to download child-based games, apps, and other content. The breach, which VTech confirmed in a statement shortly thereafter, exposed the names, email addresses, encrypted passwords, mailing addresses, and other information of 4,833,678 parents who bought products from the company. It also compromised the names, genders, and birthdays of at least 200,000 kids along with photographs of the children and chats they had with their parents.
For expert commentary on the breach, listen here.
Lastly, the company misled customers about its use of encryption to protect their PII in transit.
Travis Smith, a principal security researcher at Tripwire, feels these oversights are demonstrative of companies that neglect security for other concerns. As he told Archer News:
When you’re trying to get a return on your investment and you want to get a device to market very quickly, security usually comes as an afterthought, or as a ‘nice to have,’ not a ‘need to have.'”
In addition to paying the penalty, which some feel is hardly a heavy fine, VTech has agreed to a permanent injunction that prevents future violations of the FTC Act and the COPPA Rule. It will also award other relief that’s deemed “just and proper” by the court.