Customers angry over hacked toy company’s new “not it!” attitude

VTech tells parents they must now agree that their kids’ info may be intercepted if they want to use the toys.

Near the pictures of the happy cow and the smiling monkey on the VTech Facebook page is an angry post from a Maryland mom.

“All because YOU got hacked I’m suppose to give your company permission to allow my childs info to be out there. Are you nuts?” she asked.

Her post shows what some parents are feeling, now that the company has changed its terms of service after a hack that scooped up the information of 6 million people, including children’s names, dates of birth and pictures.

Other commenters posted the new line from the Learning Lodge’s terms of service that is causing the uproar: 

“YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES.”

Some customers believe the line is an attempt to shed responsibility for any future internet attacks.

“I mean seriously?” the Maryland mom said. “I am in no way okay with that! SO IF your hacked again its OUR fault our childs info gets out there & not yours? Way to go Vtech,you’ve lost a customer…”

Not just parents

Some cybersecurity experts say the new terms are confounding.

“I’m simply gobsmacked at the position that the company appears to be taking,” said Dave Lewis, founder of Liquidmatrix Security Digest.

He said another company, TalkTalk, has tried a similar position.

“We saw this same sort of nonsensical approach from TalkTalk in the UK recently when they claimed that they weren’t legally required to encrypt data,” Lewis told Archer News.

“This seems to be a modern day manifestation of the “not it!” children’s school yard response,” he added.

Some cybersecurity experts are telling parents to stop buying VTech products.

“This is an unbelievably arrogant and derogatory response considering their track record with data security,” said Ken Munro of Pen Test Partners told the BBC.

“If VTech think that those T&Cs are the answer to their problems I think they should be given a bigger problem to deal with. Boycott them and take your money somewhere else,” he said.

VTech’s take

VTech told Archer News that the new terms of service are not out of the ordinary.

“Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information,” VTech’s head of corporate marketing Grace Pang said in a statement. “But no company that operates online can provide a 100% guarantee that it won’t be hacked.”

“The Learning Lodge Terms and Conditions, like the T&Cs for many online sites and services, simply recognize that fact by limiting the company’s liability for the acts of third parties such as hackers,” she said. “Such limitations are commonplace on the Web.”

Is it legal?

Some legal experts told Motherboard that the line may not stand in the legal arena.

Georgetown University law professor Angela Campbell said the clause would probably not be valid in the U.S., Motherboard reported.

A lawyer in the European Union had harsher criticisms.

“This ass-covering doesn’t really work in the [European Union],” Dutch privacy lawyer Ot Van Daalen said in the Motherboard article. “Under EU law you have an obligation to secure data and you cannot waive this by putting something like this in the terms and conditions that you have with your consumers.”

However, a Washington D.C.-based attorney, James Denaro, told Motherboard that other sites use the same kind of wording.

“It comes off a bit awkwardly for them here, in light of being hacked, but it is a perfectly reasonable provision in a [Terms of Service] otherwise because nobody could promise they are perfectly secure,” Denaro said in the article. 

What does it mean for you?

Use these toys at your own risk, some cybersecurity experts say.

“Those are some interesting comments on the legality of the terms-of-service limitations, but until courts rule otherwise—after extensive time and money-consuming legal fights—we probably need to take the company at its word: they are not going to accept liability for stolen information,” said Patrick Coyle with Chemical Facility Security News.

Others say the new line in the terms of service exposes flaws in VTech’s system.

“Putting aside the legality/enforceability of this clause, I see this as evidence that one side of VTech—Product Development, Marketing, PR—doesn’t know what the other side—Corporate Legal—is doing, or at the very least that cyber security at VTech is poorly coordinated and poorly governed,” said security data scientist Russell Thomas.

“Sadly, this is all too common,” Thomas added.

Working on security

VTech announced in December that it was improving security, as well as cooperating with law enforcement to investigate the online attack. 

“We would like to offer our sincere apologies for any worry caused by this incident. We are taking all necessary steps to ensure that our users can continue to enjoy our products and services, safe in the knowledge that their data is secure,” VTech Holdings Limited’s Allan Wong said in the announcement.

The company also told customers on its website, “We will continue to work on further security improvements so that your children can enjoy their VTech toys knowing that their related data and yours are secure.”

Some cybersecurity experts are skeptical.

“Will these toy companies ever spend the type of money that giant software firms do to protect their information?” asked Coyle. “Probably not. And just remember that Microsoft sends out security updates every month. If they can’t get it right the first—and second, and third—time how can the toy company expect to?”

Happy customers?

There are plenty of eager customers on VTech’s Facebook site.

In response to a chance to win a free product, parents posted about their children’s favorite toys.

“My daughter loves all her VTech Toys specially Musical Rhymes Book!” wrote one mother.

“We love the vtech cars!!” wrote another.

“My daughter did love this walker,” added one father. “But Vtechs new stance of washing their hands of responsibility over the hack of their data, with zero commitment to protecting the children that use their toys, means ‘Dad’ is getting rid of all Vtech toys and will not be purchasing anymore.”

Your child’s picture, name, date of birth, address, chat logs, even your child’s learning progress—all part of the data that you submit, but do not control.

“In the end, we need to ask ourselves, ‘Do we really need toys that take our pictures, communicate with the Internet and share our secrets with not so trusted outsiders?’” asked Coyle. “We got by for centuries without them. Why should we start now?”