Hacked toy maker VTech changes terms to say it’s not liable for data breaches

Fallout over the massive VTech data breach continues. Screenshot/YouTube

Security experts are urging parents to boycott electronic toy maker VTech after the company updated its terms and conditions to explicitly note that it is not responsible for any data breach.

The change to the company’s policy comes just two months after a hack exposed the private data of some 10 million customer accounts – including over 237,000 Canadian adults and 316,000 Canadian children.

VTech’s terms and conditions appear to have been updated on Dec. 24, 2015 – less than a month after news of the massive data breach broke.

However, the new language was only brought to light this week by security expert Troy Hunt, who has been following the fallout from the VTech hack closely.

Story continues below advertisement

VTech said the updated language is in line with the terms and conditions of many other online sites and services, noting that “such limitations are commonplace for the web.”

READ MORE: VTech restores some online services after massive hacking scandal

“Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information. But no company that operates online can provide a 100 per cent guarantee that it won’t be hacked,” a company spokesperson told BBC.

Global News contacted VTech regarding the changes; however, a request for comment was not immediately returned.

Data from both parents and children was exposed after the company’s app database was hacked in November. It contained customer names, email addresses, passwords, IP addresses, mailing addresses and download histories as well as kids’ profile information, including names, genders and dates of birth.

It’s alleged the hacker also obtained children’s head shots attached to gaming profiles, as well as chat logs between kids and parents.

According to “Have I been Pwned,” a website dedicated to detailing the Internet’s worst data breaches, the VTech hack is now the seventh-largest consumer data breach in history.

But security experts say this latest move shows that VTech hasn’t taken responsibility for the breach.

Story continues below advertisement

READ MORE: Kids’ data is valuable too – children at risk of identity theft following VTech hack

“Look, I’m the first person to acknowledge that there are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility,” wrote Hunt on his blog.

“Certainly that’s the expectation of the customer – that the information they provide will remain secure – and VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions. People don’t even read these things!”

Cybersecurity expert Graham Culey said that instead of taking the opportunity to step up and focus on privacy and security, VTech has simply “covered its arse” with a legal document.

Story continues below advertisement

“That kind of attitude doesn’t fill me with any confidence at all that VTech has really learned its lesson,” Cluley said in a YouTube video.

Sponsored content