As a result of a November 14 cyber attack on VTech’s Learning Lodge app store, approximately 6.4 million child profiles were exposed in addition to approximately 4.9 million parent accounts.  VTech is a retail toy maker that manufactures and sells traditional toys and “smart toys,” such as electronic learning tools with computer capabilities. 

According to the company, the exposed children’s information included name, gender, and birth date.  Parent account information included name, mailing address, email address, encrypted password, IP address, download history, and account credentials (secret question and answer for password retrieval).  However, the breach did not compromise personal information such as credit card information, driver’s license numbers, or Social Security numbers as that type of personal identification data was not stored in the Learning Lodge app store database.  

The alleged hacker told a journalist from the website Motherboard that he did not intend to publish or sell the data, but has used it to reveal VTech’s weaknesses.  Motherboard also reported that the hacker accessed profile pictures and messages; however VTech has not confirmed this allegation.   

In light of the data breach, VTech recommends that users “immediately change [their] passwords and secret questions on any other sites or services that may use the same password or secret question or answer as those used on Learning Lodge.”  VTech stated that it is committed to protecting its customers’ personal information and that it will continue to investigate the breach while looking for additional ways to strengthen its security going forward. 

This cyber attack highlights children’s privacy in general and the cyber security risks associated with smart toys, in particular.  Children are placing more personal information online through social networks and through smart toys.  Toy makers and “ed(ucation)-tech” would do well to learn from such incidents, and stay apprised on the ongoing legislative proposals and amendments currently taking place in the numerous states and in Congress, such as for the Family Educational Rights and Privacy Act (FERPA).   

The event also highlights the need for security by design – considering security during the development and conceptual phase of the product life cycle.  The challenge of balancing cyber security, privacy, and business requirements demands thoughtful discussion before a product or service is released.  The burden and costs of having this discussion after the product is released is exponentially greater as is the inevitable loss of customer trust and goodwill.