Don’t Rely on Santa to Deliver Connected-Toy Cyber Security

There was a point in recent history, where a parent having been asked about securing their daughter’s privacy, thought first about their daughter’s locked handwritten diary, hidden under her bed’s mattress.

Week 7 Diary

Almost 3 million American parents knew that day had long-gone, as they faced a potentially more serious Internet privacy breach last week. Their adult VTech account, along with their related children’s profile data, had been compromised because of cyber-attack, according to the Hong Kong headquartered company’s announcement. Stolen data included non-encrypted children’s’ names and birthdates, mailing addresses and e-mail addresses, security secret Q&A’s as well as device and software download history. VTech manufacturers baby monitors, smart watches, pre-school electronic learning and gaming tablet toys that download educational software from the company’s website Learning Lodge app store.

According to reporting by Lorenzo Francheschi-Bicchierai who has interviewed the anonymous VTech Hacker, the hacker’s intention was never to profit by selling the data to third-parties, rather he went to Motherboard for public disclosure “When I got the [database] dumps, I realized how serious it was. I just wanted issues made aware of and fixed.”

VTech has until January 8, 2016 to respond to a US lawmaker’s information request about the hacking incident and the company’s plan for parental notifications. VTech has also been asked to provide what data the company collects on children, its data security policies and practices and explain how the company complies with the US Children’s Online Privacy Protection Act (COPPA), a law updated in 2013 designed to help protect the privacy of kids under age 13 through limiting types of collectable data and requiring parental authorization for its collection. Although VTech does maintain a Press Room archive with recent press releases on the cyber incident at its e-commerce website, there is no prominent website notification of the reason that the Learning Lodge is off-line, nor any parental disclosures of the hacking incident with follow-up parental action steps.

During reviews of recent large-scale cyber-attacks, security experts have discovered two primary flaws: organizations keep too much data and utilize primitive security equipment and protocols.

Week 7 Tablet

VTech tablets can no longer access the Learning Lab app store.

Toy companies are rushing to cash in on the changing nature of childhood in the Big Data era, where Internet connected toys are linking children to a vast surveillance network,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “These playthings can monitor their every move, turning what should be innocent and pleasurable experience into something potentially more sinister.”

Concerned about the plethora of over 50 free Santa apps Google and Apple stores that have FaceTimed the handwritten Letter to Santa and local news weather forecaster monitoring of Santa’s Christmas Eve journey, the ad industry and BBB self-regulatory watchdog group ASRC, issued a cursory press release that reminded parents of their responsibility for safeguarding their child’s online privacy. There was no mention of privacy concerns about recently released IoT connected toys like Fisher-Price’s interactive learning buddy “Smart Toy Monkey” or Mattel’s Artificial Intelligence “Hello Barbie,” which have garnered published independent security analyst concerns during the past year.

Because of rapidly-changing cyber technology and complex technical security agreements that must be in place between connected toy seller’s and their third-party technology providers, have we reached the point where COPPA law should be amended to require standardized parental disclosures of children’s privacy risks on product labeling and in children’s advertising? I believe that the time has come, where new standards like those used on tobacco products and in prescription drug marketing, must receive serious consideration. What do you think? Let’s start a conversation, in the comments below.

To read more about Internet of Everything (IoT) and Children’s Toy Security

Jenna Wortham writes about “’Future Crimes,’ by Marc Goodman

Lily Hay Newman writes about “Internet-Connected Toys Are Getting Hacked, and It’s As Creepy As We Feared It Would Be””



About dleastep

This blog was created for coursework participation during WVU's Reed College of Media's Emerging Media and The Market Late Fall 2015 class. As a candidate for the Digital Marketing Communications (DMC) Graduate Certificate, which I am completing as continuing education for my Master of Science in Journalism (MSJ), I hope to better understand today's dynamic global media audience habits and engagement with brands, organizations and community. Please join the conversation with my fellow classmates as we explore emerging media effectiveness, its creative processes and impact on society ethics by commenting on my posts or linking to classmate blogs listed on the right of my blog-page.
This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.

4 Responses to Don’t Rely on Santa to Deliver Connected-Toy Cyber Security

  1. Andrea Joliet says:

    This is scary stuff, indeed. I’m shocked that VTech isn’t required to post a notification on its website about the breach. The notification laws in healthcare are very stringent about security breaches and patient data.

    Liked by 1 person

    • dleastep says:

      Hi Andy!
      There were reports that at least initially, VTech explained why its Learning Lodge was off-line, but that notice was absent by the time I looked at the site, a few days later.

      I would suspect that VTech chose to minimize any customer notifications due to the holiday buying season, perhaps given the lower legal risk of customer user data mis-use, given the presumed hacker says he/she intends only to have the hacking vulnerability fixed. I think the lack of consumer notification is something US lawmakers need to correct, since these “behind-the-scenes” technical toymaker vulnerabilities are something most parents are in no position to evaluate.

      Thanks for sharing your concerns, I agree!


  2. prleytevidal says:


    What’s your feeling on the hacker claiming that they just wanted to bring these issues to light? There is a part of me that feels like that maybe wasn’t their original intention, but once they realized the depth of the information they decided to come forward. That could just be me thinking the worst, but there could be other ways of testing and approaching the company with the results.

    Liked by 1 person

    • dleastep says:

      Thanks for the question Tricia!

      Of course without knowing the individual directly, I only have a distant impression. In doing some background issue on toy IoT security, I noticed one of the security experts often quoted in the UK press, was the individual the hacker turned over his data to, for validation before going to MotherBoard with his interview. I found his story credible (he was a gamer, tech geek who regularly visits a forum some of the VTech older gamers visit) and his concerns that we thought VTech would not find his claim credible and would do nothing to fix the network issues, probable. I wondered if the hacker might not have been a teenager or young adult? There was an un-named 21-year old arrested a few days ago in the UK on suspicion of being the hacker, but the police provided no details on the investigation noting only that they intended to prosecute cyber criminals. As time goes by, we’ll see if this individual is prosecuted, or not. The whole lack of security and cyber hack potential surely makes me steer-clear of IoT connected toys for family, until we are much further down the road in ensurng privacy safeguards.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s