News: VTech fails to answer history’s largest data breach on children, cybersecurity expert says.
Following a mass scale cyber attack that affected over 6.3 million children’s accounts last year, experts have made fresh warnings on electronic learning provider VTech.
The Hong Kong based toymaker was last November the target of a large scale cyber attack that exposed the accounts of over 6.3 million children across at least 16 countries, including the UK, where 727,155 accounts were breached.
Attackers gained insights into the accounts and were able to access names, ages, genders, photos and children’s relationships to their parents and where they could be located.
VTech has released new terms and conditions, however, experts believe it has failed to address the issue correctly.
In section seven, limitation of liability, it reads: "You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.
"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.
"You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk."
The new terms were spotted by Troy Hunt, an Australian security specialist who admitted in a blog post that the above term has given him "a really hard time fathoming".
A spokeswoman told the BBC that since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information.
She said: "But no company that operates online can provide a 100% guarantee that it won’t be hacked.
"The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company’s liability for the acts of third parties such as hackers.
"Such limitations are commonplace on the web."
After the attack, VTech said that FireEye’s Mandiant Incident Response services and its cyber forensic teams, were assisting the group in its response to the cyber attack to strengthen the security of its systems.
The company’s CEO, Allan Wong said he was "deeply shocked" and offered his "sincere apologies for any worry caused by this incident".
Hunt said: "In an era where major incidents such as Ashley Madison and TalkTalk were front page news in the mainstream press, VTech continued to run a service with such egregious security flaws as the SQL injection risk the hacker originally exploited, unsalted MD5 password hashes, no SSL encryption anywhere, SQL statements returned in API calls (it’s actually in the JSON response body of my post above) and massively outdated web frameworks."
Pat Clawson, CEO of the Blancco Technology Group, said that the VTech response was a perfect example of what not to do following a data breach. He said:
"When a data breach happens, most companies will make modifications to their Terms and Conditions. But what VTech is doing is a perfect illustration of what companies should not do – putting the burden of responsibility on the users, instead of the company itself. It’s not only a bad business practice, but it’s also taking the implied stance that as a company, VTech doesn’t understand the importance of managing data holistically across the entire lifecycle. Based on the change VTech made to its T&C, I would proffer that the company’s internal IT staff view data in terms of its position within physical assets, such as a website, a computer, a server or a mobile device.
"Their entire business model is based on selling their core product – electronic learning toys for children. And parents are the ones with the income to buy VTech products for their children. What parent would feel even remotely comfortable buying a toy from a company that blatantly and unapologetically tells them they shouldn’t have any expectation of privacy? They are going to have a very difficult time scaling their business with these updated terms and conditions."