VTech terrified parents this past holiday season when a security breach exposed the personal data and photographs of over 6 million children. Now the electronic children’s toy manufacturer is absolving itself of any further responsibility in case it happens again.
Last November, a massive breach exposed VTech’s practically nonexistent security measures, which allowed a hacker to acquire the aforementioned information. In response, the company disabled the Learning Lodge application. They brought it back online on January 23rd, with a major caveat.
Following the breach, the company claimed to have beefed up their security measures to prevent future cyberattacks. In an email directed to customers, VTech president King Pang assured parents that the company is “committed to the privacy and protection of the information you entrust with VTech.” However, less than a month after the breach, they quietly updated their Terms and Conditions to completely absolve themselves of any responsibility should that actually happen.
You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded therefrom. You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intersected or later acquired by unauthorized parties.
VTech defends its updated Terms and Conditions as “commonplace on the web,” but while there is always a chance of an online company succumbing to a cyberattack, multiple security experts have criticized the high-tech toy company for their shady behavior. Microsoft security developer Troy Hunt, who helped verify the database breach, blasted the company for trying to abdicate the responsibility of protecting their customers’ personal information.
“Certainly that’s the expectation of the customer – that the information they provide will remain secure – and VTech cannot simply just absolve themselves of that responsibility in their terms and conditions,” said Hunt. “If they honestly feel they’re not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the ‘zero accountability’ clause.”
Continung the criticism, leading security expert and Vice President of Security Research at Trend Micro, Rik Ferguson called the clause “outrageous, unforgivable, ignorant, opportunistic, and indefensible.” Professor Angela Sasse remains “cautious” of the company in its entirety. “The nature of the security flaws identified, and their displayed lack of urgency in fixing them, casts doubt on their security competence,” said the director of UK Research Institute in Science of Cyber Security. “Instead, they change the T&Cs to ‘dump’ any risk on their customers – I would not trust a vendor who behaves in this way.” Amidst calls for a boycott of the company, VTech’s planned acquisition of rival toy producer LeapFrog is concerning.
In further, comically terrible news, VTech’s new line of internet-connected home security devices is slated to release this summer. But don’t worry! This time “everything is going to be very secure.” With how quickly they’ve established CYA measures after November’s hack, I’m sure they’ve learned their lesson — but you may want to have a magnifying glass on hand for the fine print. Y’know, just in case.
Follow Nate Church @Get2Church on Twitter for the latest news in gaming and technology, and snarky opinions on both.