Lieff Cabraser Civil Justice Blog
VTech Cannot Simply Absolve Itself of Security Responsibility

No, VTech Cannot Simply Absolve Itself of Security Responsibility

Tech blogger Troy Hunt has published a scathing piece on Hong Kong-based electronic toy maker VTech for what he calls “allowing itself to be hacked” in November 2015, resulting in the exposure of the personal information of more than 2.8 million children. Though bad now, the damage may well grow far worse as the hackers store this data against the children coming of age over the next few years, at which point their adult status will skyrocket the potential harm as accounts and other financial operations may be made in their names and with their full identity records.

Hunt described VTech’s egregious security failures at length:

VTech continued to run a service with such egregious security flaws as the SQL injection risk the hacker originally exploited, unsalted MD5 password hashes, no SSL encryption anywhere, SQL statements returned in API calls … and massively outdated web frameworks. [T]hey also had multiple serious direct object reference risks; the API that returned information on both kids and parents could be easily exploited just by manipulating an ID.

(Hunt’s review is a bit technical, but the gist is that VTech knowingly left the lights on, the doors open, and all-but posted a “Take All You Can Carry” sign in the windows). Hunt goes on to dismiss VTech’s claims that strong security was defeated by a high-level coordinated attack:

I actually created two accounts in order to demonstrate that whilst logged on as one, I could access the data from the other. The level of sophistication involved here is being able to count, yet in a subsequent press release, VTech claimed that the incident was an “orchestrated and sophisticated attack on our network”. No, it was neither of these things firstly because it was a single individual therefor they weren’t exactly orchestrating anything with anyone and secondly, because being able to add numbers does not make for a sophisticated attack nor does being able to mount a SQL injection attack using some automated tools (indeed this was how a 15-year-old kid was able to compromise TalkTalk). As much as the attacker’s actions were illegal and he deserves to be held accountable, VTech has some serious blame to wear.

Hunt further criticizes VTech for its attempt to shift responsibility to its customers via their acceptance of its Terms and Conditions, and his frustration grows as he observes that the company, which has effectively demonstrated enormous deficiencies with respect to security, is moving into the field of Home Security with a new suite of home monitoring products. As Hunt concludes,

“The bigger picture here is that companies are building grossly negligent software … and then simply not being held accountable when it all goes wrong.”

Consumer Protection Attorneys at Lieff Cabraser

Lieff Cabraser represents parents in a nationwide class action lawsuit against VTech arising out of a purportedly low-grade hacking effort that succeeded in the wake of VTech’s alleged failure to take reasonable precautions to secure the children’s data. The stolen information includes the children’s names, birthdates, images, email addresses, and home addresses. VTech acknowledges that data relating to more than 2.8 million children was stolen in the attack. If your child’s data was stolen, or if you are concerned that such personal child data might have been obtained from VTech in the November 2015 hack, we invite you to contact us via email or call us at 1 800 541-7358 to talk to a Lieff Cabraser privacy rights and data security attorney about your legal case.