Security experts are urging parents to boycott electronic toy maker VTech after the company updated its terms and conditions to explicitly note that it is not responsible for any data breach.
The change to the company’s policy comes just two months after a hack exposed the private data of some 10 million customer accounts – including over 237,000 Canadian adults and 316,000 Canadian children.
VTech’s terms and conditions appear to have been updated on Dec. 24, 2015 – less than a month after news of the massive data breach broke.
However, the new language was only brought to light this week by security expert Troy Hunt, who has been following the fallout from the VTech hack closely.
The updated terms and conditions read, in part: “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.”
VTech said the updated language is in line with the terms and conditions of many other online sites and services, noting that “such limitations are commonplace for the web.”
“Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information. But no company that operates online can provide a 100 per cent guarantee that it won’t be hacked,” a company spokesperson told BBC.
Global News contacted VTech regarding the changes; however, a request for comment was not immediately returned.
Data from both parents and children was exposed after the company’s app database was hacked in November. It contained customer names, email addresses, passwords, IP addresses, mailing addresses and download histories as well as kids’ profile information, including names, genders and dates of birth.
It’s alleged the hacker also obtained children’s head shots attached to gaming profiles, as well as chat logs between kids and parents.
According to “Have I been Pwned,” a website dedicated to detailing the Internet’s worst data breaches, the VTech hack is now the seventh-largest consumer data breach in history.
But security experts say this latest move shows that VTech hasn’t taken responsibility for the breach.
“Look, I’m the first person to acknowledge that there are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility,” wrote Hunt on his blog.
“Certainly that’s the expectation of the customer – that the information they provide will remain secure – and VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions. People don’t even read these things!”
Cybersecurity expert Graham Culey said that instead of taking the opportunity to step up and focus on privacy and security, VTech has simply “covered its arse” with a legal document.
“That kind of attitude doesn’t fill me with any confidence at all that VTech has really learned its lesson,” Cluley said in a YouTube video.