VTech Security: Fool Me Once ...

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/vtech-security-fool-me-once-p-2059

To the annals of "corporate responsibility," add this gem: Hong Kong
toymaker VTech has revised its end-user license agreement to make clear
that it can't be held legally responsible for any data breaches. The move
follows a high-profile hack of its "connected" toy services that earned the
company fourth place on our Top 10 Data Breach Influencers list for 2016 -
and not for good reasons (see Why VTech Breach is So Bad - and So
Avoidable).

The breach also left VTech with an image problem: Why should consumers
trust a company that sells Internet-connected toys - and more recently home
automation and security systems - if the business can't even keep
children's profiles and chat messages with their parents safe from a hack?

"No company that operates online can provide a 100 percent guarantee that
it won't be hacked."

Yet VTech's latest response looks almost laughably flat-footed: It's
rewritten the 2,400-word terms and conditions that govern its products -
and, let's be frank, which few people read. AsVice first reported, the
revised T&C's "limitation of liability" subsection now includes such
language as: "You acknowledge and agree that any information you send or
receive during your use of the site may not be secure and may be
intercepted or later acquired by unauthorized parties."

Responding to VTech's latest move, Australian information security expert
Troy Hunt says it shows the company failing to step up to its
responsibilities, including where children's data is concerned.
Furthermore, he argues, consumers must be able to trust businesses to keep
their data secure.

"Look, I'm the first person to acknowledge that there are very few
absolutes in security and there always remains some sliver of a risk that
things will go wrong, but even then, you, as the organization involved,
have to take responsibility," Hunt says in a blog post. "If they honestly
don't feel they're up to the task of protecting personal information, then
perhaps put that on the box and allow consumers to consciously take their
chances rather than implicitly opting into the 'zero accountability'
clause."

'Skilled Hacker' Breached Toymaker

What rankles, of course, is that VTech's move comes in the wake of it
suffering a serious November 2015 breach. The company says databases for
its Learning Lodge, Kid Connect bulletin boards and PlanetVTech website
databases were compromised, resulting in the exposure of 7 million kids'
profiles and 5 million parents' profiles, including photos and chat logs.
About 1.2 million of those kids also had a service called Kid Connect
enabled, which allows them to chat with parents via their toys. VTech has
blamed the breach on "a skilled hacker," noting that a related police
investigation continues. So far, that investigation has resulted in the
arrest of one man by British police (see VTech Breach Suspect Arrested).

VTech recently announced that on Jan. 23 it restored its Learning Lodge
online service and related app store, which had remained offline following
it learning of the Nov. 14, 2015, attack. VTech says its bulletin boards
will be reopened later, but that its PlanetVTech site will not.

VTech is now defending the change to its terms and conditions, with
spokeswoman Grace Pang noting that while it's "worked hard" to improve
security since the breach, "no company that operates online can provide a
100 percent guarantee that it won't be hacked."

She adds: "The Learning Lodge terms and conditions, like the T&Cs for many
online sites and services, simply recognize that fact by limiting the
company's liability for the acts of third parties such as hackers," noting
that "such limitations are commonplace on the Web."

Time for a Boycott?

But multiple security experts continue to question the company's move,
noting that VTech was hardly suggesting before its breach that it was 100
percent hack-proof (see Why "Smart" Devices May Not Be Secure). "If VTech
thinks that those T&Cs are the answer to their problems, I think they
should be given a bigger problem to deal with," Ken Munro, a partner at
penetration testing firm Pen Test Partners, tells the BBC. "Boycott them
and take your money somewhere else."

Callum Murray, head of commercial technology at law firm Kemp Little, also
tells the BBC that VTech's move is legally questionable. "It's unusual to
see these terms in consumer contracts, and it's questionable if they would
be enforceable," he says.

But is VTech's legalese move "commonplace," as the company suggests? "I
don't see this as any different than any other CYA language in response to
FTC [U.S. Federal Trade Commission] enforcement actions or lawsuits," the
privacy-rights blogger known as Dissent tells me via Twitter (see LifeLock
Settles FTC Case for $100 Million).

If VTech's attempt to legally absolve itself from hack attacks is the legal
norm, what does that say about the state of our information security, and
the security of "smart" products marketed in particular to children?


Enter the EU

Thankfully, help is on the way, at least for Europeans, in the form of the
EU's General Data Protection Regulation - GDPR - which is scheduled to take
effect in two years. "As of spring 2018 any organization trading in any EU
member state - that'll include you, VTech - that collects personal data is
legally obliged to properly protect that data," Munro says in a blog post,
noting that personal data means any information that could be used to
identify a person, including location data, IP addresses and not limited to
names. Compliance with the new EU law will be mandatory, and backed by
penalties of up to 20 million euros ($22.7 million) or up to 4 percent of a
company's annual worldwide profits for the preceding year - whichever is
greater.

"VTech, you have two years to get your house in order," Munro says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.