Cloud-connected toys that "talk" to children may sound like the future of tots' playtime, but companies making "smart" toys haven't had the best track records for securing customer data. Now, one of the most recently shamed toymakers has apparently decided to clear up the issue by absolving itself any responsibility for protecting parents' — or kids' — sensitive personal information.
Kids'-gadget manufacturer VTech had an entire customer database breached two months ago, and 4 million parents and 6 million children had their personal information compromised. But instead of beefing up its network security in response, the company changed its customer Terms and Conditions agreement to state that its security blunders are now your problem, and that the company should not be held responsible for anything that occurs as a result of a data beach.
The Dec. 24, 2015, update to the company's T&C agreement hides the following nugget of shrug in its fine print:
This updated language was discovered late last week by Twitter user Robin Bradshaw, who tipped off Australian software developer and security researcher Troy Hunt. Hunt noted in a blog post that parents who handed VTech toys to their kids on Christmas Day were also giving them VTech's hands-off approach to customer protection and all the obvious risk that suggests.
Adults who want to give the gift of tech to kids are not having the best month. Mattel admitted on Feb. 2 that there were security flaws in a line of stuffed animals that "converse" with small children. Mattel claimed it patched the flaws before hackers could take advantage of them. The vulnerabilities would have let hackers breach the toy company's servers and learn children's names, birthdates and genders — the kind of information that fuels identity theft and other stranger danger.
Such repeated security mistakes on the part of connected-toy makers may make parents yearn for Lincoln Logs, Hot Wheels and other analog toys. Unfortunately, we can't guarantee that any manufacturer cares more about security than VTech apparently does. (But we are impressed that Mattel fixed its own flaws quickly.)
Before you buy a child a toy that connects to the Internet, perform an online search for "[product name] security," and pay close attention to the results. If the results cite security concerns on tech or hacker news blogs, let that device stay on the shelf.
Buying a cloud-connected toy is still a risk, though, as server breaches and security vulnerabilities aren't exclusive to children's products. Cautious parents may want to heed the advice from Tom's Guide's editorial director Avram Piltch: "The best way to win this game is not to play."
We've reached out to VTech representatives for comment, and will update this story when we receive a response.