Editing VTech (section)

=== 2015 data breach ===
{{Update|section|date=July 2016}}
In November 2015, Lorenzo Bicchierai, writing for [[Vice (magazine)|''Vice'' magazine's]] ''Motherboard'', reported that VTech's servers had been compromised and the corporation was victim to a [[data breach]] which exposed personal data belonging to 6.3 million individuals, including children, who signed up for or utilized services provided by the company related to several products it manufactures.<ref>{{Cite web|url=https://boingboing.net/2016/02/09/vtech-having-leaked-6-3m-kids-2.html|title=Vtech, having leaked 6.3m kids' data, has a new EULA disclaiming responsibility for the next leak / Boing Boing|website=boingboing.net|date=9 February 2016 |language=en-US|access-date=2018-01-08}}</ref> Bicchierai was contacted by the unnamed attacker in late November, during the week before [[Thanksgiving]], at which point the unnamed individual disclosed information about the [[security vulnerabilities]] with the journalist and detailed the breach.<ref name=exposed>{{cite web|author1=Franceschi-Bicchierai, Lorenzo|title=One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids|url=https://www.vice.com/en/article/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids/|website=motherboard.vice.com|publisher=Vice magazine|access-date=5 December 2015|date=27 November 2015}}</ref><ref name="Darknet Diaries">{{cite web|last1=Rhysider|first1=Jack|title=Ep 2: The Peculiar Case of the VTech Hacker|url=https://darknetdiaries.com/episode/2/|website=Darknet Diaries|access-date=5 May 2018}}</ref>

Bicchierai then reached out to [[information security]] researcher [[Troy Hunt]] to examine data provided by the attacker to Bicchierai, and to confirm if the leak was indeed authentic and not an [[internet hoax]]. Hunt examined the information and confirmed it appeared to be authentic. Hunt then dissected the data in detail and published the findings on his website. According to Hunt, VTech's servers failed to utilize basic [[Transport Layer Security|SSL]] [[cryptography|encryption]] to secure the personal [[data in transit]] from the devices to VTech's servers; that VTech stored customer information in unencrypted [[plaintext]], failed to securely [[Key derivation function|hash]] or [[salt (cryptography)|salt]] passwords.<ref name=hunt>{{cite web|author1=Hunt, Troy|title=When children are breached – inside the massive VTech hack|url=http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html|website=troyhunt.com|access-date=5 December 2015|date=28 November 2015}}</ref>

The attack leveraged an [[SQL injection]] to gain privileged [[superuser|root access]] to VTech servers. Once privileged access was acquired, the attacker exfiltrated the data, including some 190 [[gigabyte]]s of photographs of children and adults, detailed [[chat log|chat logs]] between parents and children which spanned over the course of years, and voice recordings, all unencrypted and stored in plain text. The attacker shared some 3,832 image files with the journalist for verification purposes, and some [[redaction|redacted]] photographs were published by the journalist. Commenting on the leak, the unidentified hacker
expressed their disgust with being able to so easily obtain access to such a large trove of data, saying: "Frankly, it makes me sick that I was able to get all this stuff. VTech should have the book thrown at them" and explained their rationale for going to the press was because they felt VTech would have ignored their reports and concerns.<ref name=headshot>{{cite web|author1=Franceschi-Bicchierai, Lorenzo|title=Hacker Obtained Children's Headshots and Chatlogs From Toymaker VTech|url=https://www.vice.com/en/article/hacker-obtained-childrens-headshots-and-chatlogs-from-toymaker-vtech/|website=motherboard.vice.com|publisher=Vice magazine|access-date=5 December 2015|date=30 November 2015}}</ref><ref>{{cite web|author1=Whittaker, Zack|title=VTech hack gets worse: Chat logs, kids' photos taken in breach|url=https://www.zdnet.com/article/vtech-hack-gets-worse-kids-photos-chat-logs-also-stolen/|website=ZDNet.com|publisher=Ziff Davis|access-date=5 December 2015|date=30 November 2015}}</ref>

VTech corporate security was unaware their systems had been compromised and the breach was first brought to their attention after being contacted by Bicchierai prior to the publication of the article. Upon notification, the company took a dozen or so websites and services offline.<ref name=exposed/><ref name=headshot/>

In an [[FAQ]] published by the company, they explain some 4,854,209 accounts belonging to parents and 6,368,509 profiles belonging to children had been compromised. The company further claims the passwords had been encrypted, which is contrary to reports by the independent security researcher contacted by ''Vice''. The company indicated they were working with unspecified "local authorities".<ref name=hunt/><ref name=FAQ>{{cite web|author1=VTech press release|title=FAQ about Data Breach on VTech Learning Lodge (last update: December 3, 2015, HKT)|url=http://www.vtech.com/en/press_release/2015/faq-about-data-breach-on-vtech-learning-lodge/|website=vtech.com|access-date=5 December 2015|date=3 December 2015}}</ref> VTech subsequently brought in the information security services company [[FireEye]] to manage [[incident response]] and audit the security of their platform going forward.<ref>{{cite web|author1=Mukherjee, Supantha|author2=Finkle, Jim|title=Digital toymaker VTech hires FireEye to secure systems after hack|url=https://www.reuters.com/article/us-vtech-cyberattack-fireeye-idUSKBN0TM1LE20151203|publisher=Reuters.com|access-date=5 December 2015|date=3 December 2015}}</ref>

Mark Nunnikhoven of [[Trend Micro]] criticized the company's handling of the incident and called their FAQ "wishy-washy corporate speak".<ref>{{cite web|author1=Nunnikhoven, Mark|title=Hacked? Don't Respond Like This|url=https://www.linkedin.com/pulse/hacked-dont-response-like-mark-nunnikhoven|website=linkedin.com|access-date=5 December 2015|date=27 November 2015}}</ref>

[[United States Senate|U.S. Senator]] [[Edward Markey]] and [[U.S. House of Representatives|Representative]] [[Joe Barton]], co-founders of the Bi-Partisan Congressional Privacy Caucus, issued an [[open letter]] to the company inquiring as to why and what kind of information belonging to children is stored by VTech and how they use this data, security practices employed to protect that data if children's information is shared or sold to third parties and how the company complies with the [[Children's Online Privacy Protection Act]].<ref>{{cite web|last=Finkle |first=Jim|title=Congress wants VTech details on child data it collects|url=https://www.reuters.com/article/us-vtech-congress-idUSKBN0TL1TJ20151202|publisher=Reuters.com|access-date=5 December 2015|date=2 December 2015}}</ref>

In February 2016, Hunt publicized the fact that VTech had modified its Terms and Conditions for new customers so that the customer acknowledges and agrees that any information transmitted to VTech may be intercepted or later acquired by unauthorized parties.<ref>{{cite news|title=Tech Tent|url=http://www.bbc.co.uk/programmes/p03hlfh5|agency=BBC|date=12 Feb 2016}}</ref><ref>{{cite web|first=Troy |last=Hunt|title=No, VTech cannot simply absolve itself of security responsibility|url=http://www.troyhunt.com/2016/02/no-vtech-cannot-simply-absolve-itself.html|website=troyhunt.com|date=9 Feb 2016}}</ref>

In January 2018, the [[Federal Trade Commission|US Federal Trade Commission]] fined VTech $650,000 for the breach, around $0.09 per victim.<ref>{{Cite web|url=https://boingboing.net/2018/01/08/normalizing-surveillance-2.html|title=Vtech covered up a leak of data on 6.3m children and their families, then tried to force us not to sue - the FTC just fined them $0.09/kid / Boing Boing|website=boingboing.net|date=8 January 2018 |language=en-US|access-date=2018-01-08}}</ref>