- April 21, 2017
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyber Crime, Data Breach, Hacking, Posts with image, Privacy, Smart Devices
When a company goes bankrupt, you could lose money—and your private information.
Jenna’s husband works in pipeline construction, and it keeps him away from home for months at a time.
The soft, huggable CloudPets let their kids hear daddy’s voice from afar—recorded messages sent from his phone to the fluffy toy in their bedroom in Louisiana.
But on his last trip, the CloudPets went quiet—no sweet greetings from daddy, no “I love you, papa,” from the kids.
The app stopped working, Jenna said.
“Then all of a sudden I got an e-mail that our account was hacked,” she told Archer News. “So, now what? I have a $20 pet for nothing?”
Security researcher Troy Hunt said the company behind CloudPets, called Spiral Toys, exposed the data, pictures and voice recordings of hundreds of thousands of children.
He called it a “horrific case in so many ways.”
Diagram showing how CloudPets work. Image via: CloudPets
But some families trying to reach Los Angeles-based Spiral Toys for help about the hack or broken apps say they can’t get through.
“I’ve messaged you with no response,” wrote a father on the CloudPets Facebook page. “Is this situation fixable? Or is cloud pets closing up shop?”
No reply from CloudPets. And the company’s last Facebook post or comment appears to be from about six weeks ago.
“…I seriously can’t fathom that your lil’ startup is stupid enough to close shop and bug out,” said an unhappy military mom. “Seriously. Shady.”
If the company does shut down, some worry it could put families even further in harm’s way. What will happen to the kids’ data?
“Their children’s data has already been compromised,” said attorney Ben Meiselas with Geragos and Geragos. “And this is a real risk, that if this company goes under that further data could become compromised.”
If a company fails, you may be able to get your money back. But what about your personal information?
Families complained about the toys on the CloudPets’ Facebook page.
You’ll have trouble getting an answer from Spiral Toys about the state of the company—or any other question.
Our e-mails through the website and directly to the CEO, Mark Meyers, get no reply.
Image of Spiral Toys CEO Mark Meyers from promotional YouTube video. Image from Behind Spiral Toys on YouTube
If you call the company’s phone numbers listed with the Securities and Exchange Commission, you may end up talking to a man who claims he doesn’t work for Spiral Toys and doesn’t know what is going on, or a taxi service in New Jersey.
“As best as I can tell, they’re winding everything down,” Hunt told Archer News.
Archer News contacted CloudPets and Spiral Toys numerous times through the company website, e-mail & phone.
This is not Spiral Toys’ first brush with trouble.
As Hunt noted, the company’s Chief Financial Officer, Robert Stewart, was convicted of insider trading last year after investigators said his investment banker son passed him inside tips about upcoming deals through secret messages designed to look like golf talk.
A company report in May 2016 said Spiral Toys was defending itself against two legal claims about infringement of intellectual property, and revealed financial issues and a dispute among companies distributing CloudPets.
“Unfortunately, one of the primary wholesale customers for the CloudPets cancelled an order for a large quantity of the CloudPets units, which remain unsold in the distributor’s inventory,” the report said, leaving Spiral Toys unpaid.
Morningstar reported the price of Spiral Toys’ stock at $00.00 on April 20, 2017. Image via Morningstar
Doing the right thing
For Hunt, this is a unique situation.
People contact him with evidence of a data breach, like a large database for sale on the dark web. Hunt investigates and contacts the breached company to notify them of the problem—with varying responses.
“I’ve certainly dealt with many companies that were behaving very badly,” he said. “I honestly can’t think of a case where they were going out of business.”
The CloudPets premium app on Android gets a rating of 2.3 out of 5 stars. Image via Google Play
While you might trust LinkedIn or Yahoo to make changes to protect your information after a breach, or at least pay for your credit monitoring, what will happen with a company short on money—especially when some Spiral Toys customers are already complaining about poor, slow and faulty communication?
“I received an email from them asking me to click on the link in the email and change my information, but a couple of sentences down was this… ‘Avoid clicking on links or downloading attachments from suspicious emails,’” a customer told Archer News. “Are they serious?”
In addition, another researcher said he discovered that CloudPets were made without proper cybersecurity and left kids at risk, and though he tried to warn the company in October, he received no reply.
“How do we sort of beholden them to doing the right thing with the data?” Hunt asked.
Some parents complained about the CloudPets data breach on Facebook.
There are ways to apply pressure, according to Meiselas.
State or federal civil enforcement agencies can ask for an injunction to protect the data, he said.
If a company goes bankrupt, the courts can appoint a receiver to take over company management and deal with assets—like money and data—properly.
There can be political pressure, too.
Senator Bill Nelson, D-Fla., has already sent a letter to Spiral Toys demanding answers about the breach.
And ultimately, there could be criminal charges, depending on the facts of the case, Meiselas said.
“If the conduct by this corporation is deemed to be grossly reckless or intentional, or they put a product on the market without any safety protocol and intentionally exposed the data of children to third parties—and potentially really pernicious sources in the dark web—there could be other more serious and severe repercussions,” he explained.
Facebook ads for CloudPets show prices dropping over the last few months down to as low as $1, or in some cases, free with purchase of another item.
But there are downsides, according to Meiselas.
You may be able to get a refund for money lost—for example, if the toy stops working—but how do you refund personal information?
“The bad news is that the data that is already compromised is very difficult to claw back, if not impossible to claw back,” he said.
Also, he said, parents will need to act—contacting lawmakers and law enforcement, for example—to get the issue on the priority list of busy agencies and officials with many other cases on their hands.
A Twitter user posted a picture of CloudPets for sale at a discount store.
Of course, Spiral Toys could come through for their customers, fixing the reported security issues and technical problems.
“Protecting our user’s privacy is very important to us, particularly when children are involved,” the company said in a set of FAQs on its site.
If the executives behind CloudPets don’t come through, they may have some confused and irate families, some of whom say they spent as much as $40 each for multiple pets, plus $4.99 for the premium iPhone app.
“Are they going to make the ones we have work, or are they just going to let them die out?” asked Jenna.
The 2016 company report may show insight.
“We terminated our involvement in manufacturing CloudPets, which was the primary source of revenue in 2015,” the report said. “Additional products are currently being developed and are anticipated to be released in the third quarter of 2016.”
Spiral Toys offered promotions to encourage members of the military to buy CloudPets in May 2016.
For Meiselas, this story brings up a concern—that some toy companies may be making big money by selling high-tech toys that ultimately flop, then moving on to the next hyped product.
Over the past year, three popular connected toys generated complaints from parents over the Christmas holidays, including the Furby Connect and Hatchimals, now part of a class action suit through Meiselas’ law firm.
He compared the process to boiler room operations that mine for cash, then shut down.
“They set up, they make their money and then they try to escape liability—literally—in their Porsches and Lamborghinis, and go on to the next pump-and-dump schemes,” he said of the boiler rooms.
“I think what we’re seeing is a consumer version of the pump-and-dump on a lot of products that don’t live up to their expectations,” Meiselas added.
That may be a warning for families tempted by highly-advertised connected toys—you could lose your money, your kids’ information, and any tech support if the toy doesn’t work as advertised.
“We hope parents look at ingredients in food. We’re sort of getting that way with toys, too,” Hunt said. “As a parent, you really want to think about what you’re exposing your kids to.”
Main image: CloudPets promotional picture. Image via: CloudPets