Connected toy manufacturer improves safeguards to adequately protect children’s information
PIPEDA Report of Findings #2018-001
January 8, 2018
Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)
VTech Holdings Limited (a manufacturer with headquarters in Hong Kong) notified our Office of a global data breach which had resulted in the potential compromise of the personal information of over 316,000 Canadian children (e.g., name, gender, DOB, profile pictures, voice recordings and logs of chat discussions with parents) in addition to that of over 237,000 Canadian adults, generally parents associated with those children (e.g., name, email, IP and mailing address). The affected individuals either bought or engaged with the company’s various children’s web-based products and services. We subsequently received a complaint from a Canadian affected by the breach and commenced an investigation to assess the adequacy of the organization’s information security safeguards.
Our investigation uncovered significant safeguard deficiencies, throughout VTech’s information management process. In particular, we noted: (i) a lack of testing and maintenance to identify and mitigate vulnerabilities (noting that the attacker exploited a well-known vulnerability to gain access to VTech’s systems in this case); (ii) inadequate administrative access controls; (iii) various cryptographic deficiencies; (iv) the absence of security monitoring and logging to detect potential threats; and (v) no overarching comprehensive security management program.
Those safeguards were not commensurate with the amount and potential sensitivity of the information at risk, which in our view could, in the wrong hands, put children at unnecessary risk of harm via targeting for malicious activity.
Ultimately, we were satisfied that, following the breach and during the course of our investigation, VTech implemented timely and comprehensive measures to: (i) contain the breach; (ii) address the risk to affected individuals; and, (iii) mitigate against the risk of a similar future breach by addressing safeguard concerns.
Accordingly, we concluded that the matter was well-founded and resolved.
- The complainant alleged that VTech Holdings Limited (“VTech” or the “respondent”) failed to safeguard the personal information of its customers, including children. Specifically, the complainant alleged that VTech’s servers were hacked and that, as a result, there was unauthorized access to customer information, potentially including the personal information of the complainant and/or his son.
Summary of investigation
- VTech is a manufacturer of electronic learning products for children (as well as the world's largest manufacturer of cordless phones). Headquartered in Hong Kong, the respondent has operations in 13 countries and regions.Footnote 1 VTech Technologies Canada Ltd. is the organization’s Canadian subsidiary.
- In late November 2015, a number of media reports described a global data breach of VTech’s systems (the “breach”). The respondent formally notified our Office of the breach in early December.
- The complainant, who is a VTech customer and owns several of the respondent’s web-enabled toys (i.e., the “V.Reader Interactive E-Reading System" and the "Tote & Go Laptop WEB"), was concerned about the incident, as reported, and filed the current complaint with our Office.
- VTech’s legal counsel commissioned a forensic investigation to determine the cause and extent of the Breach. VTech provided our Office with details of the findings of that investigation. Our investigation and this report were informed by: (i) representations from VTech, including in relation to the forensic findings; (ii) our Office’s own research; and (iii) interaction and collaboration with our international counterparts, the United States Federal Trade Commission and the Hong Kong Privacy Commissioner for Data Protection.
Details of the Breach
- Between 12 and 29 November 2015, an unauthorized user gained access to several different VTech cyber environments. The attacker initially gained access to one VTech environment, located on a server hosted by a third party, using “SQL injection”. He then used various methods (including compromised local administrative credentials and valid passwords stored in a test environment) to gain privileges, move laterally between several environments, and ultimately access customer data in a live production environment. He then copied and exported certain of that data off VTech’s network.
- VTech submitted that since it was unable to determine exactly what data had been exfiltrated by the attacker, it assumed that all data residing on compromised servers could have been accessed or copied. This data related to the following online websites and apps: (i) Learning Lodge (which allows customers to download apps, learning games, e-books and other educational content to their VTech products); (ii) Planet VTech (an “online world” designed for children); and (iii) Kid Connect (an app that allows children and parents to exchange voice and text messages, photos etc. between VTech devices and parents’ smartphones). The information in the databases associated with those environments (the “databases”) included the following:
- Parent account information - including name, email address, secret question and answer for password retrieval, IP address, mailing and billing address, last 4 digits of credit card and expiration date, download history, history of device purchases, and password.
- Information about children - including child's name, gender and birthdate, photos, voice recordings and chat messages (between parents and their children).
- The breach affected over 316,000 Canadian children and over 237,000 Canadian adults (generally parents associated with those children).
- VTech also confirmed that the account-related personal information of the complainant and his son could have been compromised via the breach.
- The respondent noted that the databases did not contain credit card or other financial account information. For example, to complete the payment or check-out process for any downloads made via the Learning Lodge website, VTech customers are directed to a secure, third-party payment gateway. It also explained that the databases did not contain ID card numbers, Social Insurance Numbers, driving license numbers or other similar identifiers.
- The unauthorized user has since been arrested and the accessed information recovered from his devices.
- VTech explained its understanding that the unauthorized user intended only to highlight alleged vulnerabilities in VTech’s information security.Footnote 2 He shared certain accessed information with a reporter, who in turn provided some of that information to a security blogger, for validation purposes before going public. The information has since been taken offline. VTech made arrangements with the reporter’s agency and blogger to secure the return and/or deletion of all the information in question. VTech has no indication that the unauthorized user provided copies of, or access to, the subject information to anyone else, or that further disclosures of the information have occurred.
- VTech claimed that it had already identified the need to conduct a risk assessment in respect of the compromised systems, and that certain aspects of that assessment had been scheduled but not yet completed in advance of the breach.
- VTech also provided our Office with significant detail regarding the safeguards it had in place and the safeguard shortcomings which had been identified during the ensuing forensic investigation. The summary below is not exhaustive but outlines certain of the key issues that had been identified.
Testing and maintenance
- The attacker accessed one of VTech’s networks using a well-known commonly exploited security vulnerability, namely SQL injection. VTech did not have a program of regular testing in place to identify such vulnerabilities. As a consequence, known mitigation strategies available to address this issue had not been implemented. It also lacked a regular program to ensure that software was up-to-date and patched to address known vulnerabilities.
- There were also deficiencies with regards to administrative-level access controls to the compromised environments, servers and databases – e.g., storage of production passwords in the test environment, sharing of accounts between staff, and local administrators having broad access across networks.
- A number of issues were also identified with respect to cryptographic protection of the information under VTech’s control (i.e., data transformation and scrambling which requires decoding to be read – e.g., via encryption, hashing and salting). For example, certain information (including parent’s name, child’s name and gender, and security ‘question and answer’ pairs for password recovery) was stored in plaintext, and certain customer communications were transmitted in clear text (i.e., unencrypted). Customer passwords were stored using cryptographic methods that were well-known to be vulnerable. While other information (such as children’s photos, chat logs and voice recordings) was stored in encrypted format, the hacker was able to decrypt at least a portion of this data, as evidenced by information published online, using keys available within the compromised servers.
Logging and monitoring
- VTech lacked sufficient host and network security logging and monitoring to detect potential threats or unauthorized/unusual activity (e.g., exfiltration of customer data off of its network). VTech explained that it had intended to implement an intrusion detection and prevention system, but had not yet done so prior to the breach.
Security Management Framework
- Finally, while VTech had various policies and procedures in place to address specific privacy issues, VTech lacked a comprehensive overarching data security policy, associated training and a program for regular risk assessments and policy reviews.
- In addition to hiring a forensic expert to analyse the cause and extent of the breach, and notifying our Office and other relevant authorities about the breach, VTech undertook steps to contain the breach, mitigate the risk to individuals whose information had been compromised, and improve safeguards with a view to minimizing the risk of a future breach.
- VTech provided our Office with significant information regarding the measures that it put in place following the discovery of the breach. While we will not provide full details of those measures, so as not to undermine the safeguards implemented, the following is an outline of VTech’s remedial actions.
- Upon learning of the breach from the media outlet that was about to report publically on the matter,Footnote 3 VTech took steps to initially contain it, including taking relevant databases, servers and websites offline and cleaning/rebuilding infected systems before going back online.
Risk to Affected Individuals
- VTech took a number of steps to mitigate the risk to individuals whose personal information was compromised as a result of the breach. For example, users were notified both directly (emails to affected customers on 27 November 2015, which included general information about the breach and instructions regarding safety measures users could take to mitigate resulting risks) and indirectly, by way of press releases, social media and an FAQ page on its website. Users were required to change their passwords upon their first subsequent login. VTech also worked with law enforcement officials in various countries with a view to assisting investigations of the unlawful hack.
Risk of Future Breach
- Both reactively and subsequent to regulatory intervention by privacy enforcement authorities, VTech implemented a number of remedial measures in response to the breach to mitigate the risk of a similar breach in future, including:
- Testing/maintenance: VTech implemented: (i) a regular, multifaceted testing protocol to identify potential system vulnerabilities; and (ii) an update/patch management program to mitigate the risk of known vulnerabilities.
- Administrative access controls: VTech has taken steps to limit the number of individuals with administrative access, and limited the scope of access available via individual accounts (e.g., to limit cross-network access of local administrators). They have also strengthened authentication controls (e.g., strong passwords) and put in place organizational measures to more strictly control the use of administrative accounts.
- Cryptography: VTech has implemented enhanced cryptography for stored information, as well as encryption for user information in transit via its websites and apps.
- Logging and monitoring: VTech has increased and centralized log event retention to assist with detecting and investigating unauthorized activities on its network. It has also restricted and now monitors outgoing traffic to the internet.
- Security Management Framework: VTech has implemented a new comprehensive data security policy, which provides for the creation of a Data Security Governance Board to ensure, among other things: (i) staff awareness via annual training regarding the policy and data security; (ii) policy compliance; and (iii) annual risk assessments, best-practice benchmarking and reviews so that the policy and associated data security measures remain adequate.
- VTech asserted that these changes minimize the risk of recurrence of a breach by making it more difficult for a hacker to access VTech’s systems, compromise credentials, escalate privileges, move across the network and access customer information.
- In making our determinations, we applied Principles 4.7, 4.7.1, 4.7.2, and 4.7.3 of Schedule I of the Act.
- Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 further states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. It further provides that organizations shall protect personal information regardless of the format in which it is held. Principle 4.7.2 provides, in part, that the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information as well as the method of storage. More sensitive information should be safeguarded by a higher level of protection. Principle 4.7.3 also provides that the methods of protection should include: (a) physical measures, such as locked filing cabinets and restricted access to offices; (b) organizational measures, such as security clearances and limiting access on a “need-to-know” basis; and, (c) technological measures, such as the use of passwords and encryption.
- In our view, VTech did not implement adequate organizational and technological safeguards to protect customers’ personal information.
- The level of safeguards must be commensurate with the sensitivity of the information in question, and informed by the potential risk of harm to individuals that could result from compromise of the data in question.
- The data within VTech’s control, and compromised via the breach, included extensive personal information (e.g., name, date of birth, address, email address, and security question answers), which could be used for purposes of phishing or identity theft.
- Furthermore, we note that VTech was in control of the personal information of millions of customers, with the information of over 500,000 Canadians, including over 300,000 Canadian children, compromised by the breach.
- Finally, and perhaps most importantly, the data encompassed significant personal information of children, including details about their parents and where they live, along with the contents of photos, chat logs and voice recordings. This information, when taken together, could create rich profiles, and in the wrong hands, could subject children to unnecessary risk of being maliciously targeted. Luckily, that would not appear to have been the hacker’s motivation in this case, but the information in question was, nonetheless, highly sensitive given the potential harm that could have resulted to children, a vulnerable group.
- In our view, given the sensitivity of the information under VTech’s control and the number of individuals affected, including children, VTech was required to have heightened safeguards in place to adequately protect against unauthorized access.
- Given the technological and organizational deficiencies outlined in paragraphs 15-19 above, VTech clearly failed to ensure adequate safeguards — these failures were evident in the development, implementation, and subsequent maintenance of its web and information management program.
- VTech should have had a program of regular testing and maintenance in place to identify and mitigate system vulnerabilities. As discussed above, in this case, the attacker was able to exploit a well-known design vulnerability, which had been left unmitigated by VTech.
- Administrative account holders will often, by virtue of their role requirements, have greater access to information and systems modification capabilities. This renders administrative accounts a common target for hackers. It is therefore important to implement strict controls to limit administrative account access to those authorized individuals who require it. Organizations should also limit the access and privileges for each administrative account to those required for the role in question, including to ensure segmentation between data environments. As outlined above, VTech’s administrative access controls were inadequate — the attacker was able to leverage initial access to a test environment and a local administrative account to move between environments and ultimately gain access to sensitive information of customers and children from around the world.
- Furthermore, VTech should have ensured that the sensitive information in question was protected by adequate cryptography. In this case, much of the information in question was either stored or transmitted without any cryptographic protection. Password cryptographic protection was inadequate, and encrypted data was left vulnerable by failing to adequately protect decryption keys.
- Furthermore, VTech should have had a regular program of monitoring and logging to detect and mitigate threats like that which resulted in this breach.
- Finally, VTech should have had a comprehensive security policy, including a program of regular training, compliance monitoring, risk-assessment and policy review to ensure adequate protection of the information within its control.
- Ultimately therefore, in our view, VTech contravened Principle 4.7of the Act.
- We are, however, satisfied that subsequent to the breach and interventions by our Office and that of our privacy enforcement counterparts, VTech implemented sufficient and timely measures (as outlined in paragraphs 20-25) to:
- contain the breach - e.g., by taking systems offline, resetting credentials of compromised administrative accounts,
- mitigate the risk to affected individuals - e.g., via prompt notification and password resets (noting in particular that VTech took the positive approach, in absence of certainty with respect to what information had been exfiltrated, of assuming that all data on compromised servers could have been accessed or copied), and
- mitigate the risk of a future breach - e.g., by implementing
- regular testing and maintenance/updates to identify and mitigate potential vulnerabilities;
- more robust and limited access controls;
- enhanced cryptographic practices to better protect the information under its control;
- increased monitoring and logging to detect potential threats; and
- a comprehensive security management framework to ensure staff awareness and compliance, as well as ongoing safeguards adequacy.
- In coming to the determination that this matter has been resolved, our confidence was further enhanced by the fact that VTech has entered into a settlement with the United States Federal Trade Commission, which, among other things, requires that VTech implement a comprehensive data security program that will be subject to ongoing audits to ensure its continued adequacy.
- Accordingly, we conclude that the matter is well-founded and resolved.
- Date modified: