This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

VTech, the maker of smart toys whose poor security practices exposed data from millions parents and children, has been slapped on the wrist by the FTC to the tune of $650,000 and probation. It seems a light penalty for such a multifaceted failure affecting so many.

The Hong Kong company makes a variety of “smart” toys, like watches and cameras, and parents and children were encouraged to set up profiles on VTech’s site with pictures and personal details. In November of 2015 a security researcher found that millions of those profiles could be accessed via one of the company’s websites.

Not only was the website itself not secure, but the data were not encrypted in transit or at rest, contradicting security claims made in VTech’s privacy policy. This is not just poor practice, it’s a violation of COPPA, a rule meant to protect children’s privacy. The FTC stepped in shortly afterwards to look into these violations.

The number of parents and children affected is hard to estimate, but at the time nearly 5 million parent records and 227,000 child records were shown to be accessible. However, the FTC in the summary of its investigation notes:

…about 2.25 million parents had registered and created accounts with Learning Lodge for nearly 3 million children. This included about 638,000 Kid Connect accounts for children. In addition, about 134,000 parents in the United States created Planet VTech accounts for 130,000 children by November 2015…

And the Canadian Office of the Privacy Commissioner writes that “more than 500,000 Canadian children and their parents” were affected. At any rate the total number is certainly in the millions.

The FTC today announced the results of its investigation, namely that VTech violated U.S. law in a couple ways and failed to secure its data both as promised and as required. Its punishment: pay $650,000 and never do it again. The Canadian OPC doesn’t seem to have issued any punishment at all (I’ve asked for details).

It’s hardly a heavy fine for a company that was selling millions of devices, and may embolden others weighing the cost of real security against the risk of being caught and fined. It seems unlikely that the parents and children whose data was exposed by the extremely irresponsible actions of a global company will find this settlement satisfying — however logical it appears to the FTC.

It is also worth noting that this is the agency that will be responsible for enforcing part of our new, much-reduced net neutrality rules. If gross negligence and a breach affecting millions, including children, provokes only a minor fine and warning like this — two years after the fact, by the way — what hope do we have that the FTC will act as an effective deterrent for the subtler abuses and far richer companies that net neutrality protected people against?

You can read the full text of the settlement here (PDF).

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,