Last November, it was reported that children’s toy maker VTech had its Learning Lodge app store database hacked. The breach saw data that included names, e-mail addresses, passwords, mailing addresses and IP addresses being compromised. The attacker also downloaded a large number of photos and chat logs, many involving children.
Now, more than two months after the attack, VTech has relaunched its online app store with some upgraded security features. But cybersecurity experts are condemning the site’s updated terms and conditions that absolve the company of any responsibility should another hack take place.
As noted by Australian security specialist Troy Hunt, VTech’s T&C’s read:
You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.
You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.
You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk.
Recognising such, you understand and agree that… neither VTech nor [its partners] or employees will be liable to you for any […] damages of any kind.
It seems as if the document, which was updated on December 24, suggests that customers will have no grounds for complaining to VTech should another breach occur – they’ve already agreed that the site isn’t secure.
"If [VTech] honestly feel they're not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the 'zero accountability' clause,” wrote Hunt.
Some security researchers have called for parents to boycott VTech’s products. "This is an unbelievably arrogant and derogatory response considering their track record with data security," said Ken Munro from Pen Test Partners. "If VTech think that those T&Cs are the answer to their problems I think they should be given a bigger problem to deal with. Boycott them and take your money somewhere else."
— Troy Hunt (@troyhunt) February 9, 2016
VTech has responded by claiming that Terms and Conditions of this nature are quite common.
"Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information," said a spokeswoman. "But no company that operates online can provide a 100% guarantee that it won't be hacked."
"The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company's liability for the acts of third parties such as hackers," she added. "Such limitations are commonplace on the web."
In December, a 21-year-old man from Berkshire, England, was arrested in connection with the hack. Despite the fallout from the breach, VTech is about to expand its business by acquiring rival toymaking company LeapFrog in a $72 million deal.