Lawmakers have requested details from hacked digital toy maker VTech about its child data collection and protection.
Sen. Edward Markey, D–Mass., and Rep. Joe Barton, R –Tex., have sent a letter to VTech requesting information on what data it collects on children using its products and how it protects that sensitive information.
“We write to convey our concerns about the recent cybersecurity attack on your company and the resulting theft of private information on millions of Americans, including children 12 years old and younger,” wrote the lawmakers. “This breach raises several questions about what information VTech collects on children, how that data is protected, and how VTech complies with the Children’s Online Privacy Protection Act (COPPA).”
VTech said Wednesday that over 4.8 million parent accounts and almost 6.4 million related child profiles are affected by the hack. Just over 2.2 million parent accounts and almost 2.9 million child profiles are in the U.S., it added.
The company confirmed the data breach of its Learning Lodge online portal Friday, and provided additional information on the scale of the hack Wednesday. “Regretfully our Learning Lodge, Kid Connect and PlanetVTech databases were not as secure as they should have been,” it said, in a statement. “Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks. All other VTech systems have not been affected.”
Customers use Learning Lodge to download apps, learning games and e-books to VTech products such as learning tablets. VTech customers also use Learning Lodge to register accounts, both for themselves and their children. Kid Connect lets parents using a smartphone app chat with their kids using a VTech tablet.
VTech has temporarily suspended Learning Lodge and Kid Connect following the hack.
In their letter, Markey and Barton ask for responses to questions that include what data is the company collecting about children 12 years old and younger, how VTech uses data collected about children, and if the firm shares or sells information about kids.
Citing the hacker who claimed responsibility for the hack, Motherboard reported Friday that the personal data of more than 200,000 children was exposed. The hacker, who asked to remain anonymous and has no plans to exploit the data, also told Motherboard that sensitive information, such as kids’ photos and chatlogs between parents and children, was left exposed on VTech servers.
VTech said Wednesday that it is unable to confirm whether the hacker has taken photos of parents and their children on Kid Connect. With its investigation into the hack still ongoing, VTech is also unable to confirm whether chat logs and audio files on Kid Connect were leaked. “Audio files are encrypted by AES128, whereas chat logs are not encrypted,” it added.
Parent account information stored in the VTech database includes name, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password. The database also stores kids’ profile data including name, gender, and birthdates.
VTech reiterated Wednesday that its database does not contain any credit card information or personal identification data such as ID card numbers, Social Security numbers or driving license numbers.
The company said that the case has been reported to the authorities.
“We have appointed data security legal specialists who are in the process of liaising with local authorities,” it said, in its statement. “We are committed to learning from this incident - making the necessary improvements to our network security to ensure that our customers can continue to enjoy our products, safe in knowledge that their data is secure.”