News release

VTech breach investigation highlights security failures

Inadequate security measures by connected toy maker left sensitive data of millions of children around the globe vulnerable to unauthorized access

GATINEAU, QC, January 8, 2018  – An investigation into a global data breach at VTech found the connected toy maker had failed to adopt adequate security measures to protect sensitive personal information of children.

The breach at VTech Holdings Ltd. in late 2015 compromised the personal information of millions of people around the world, including more than 500,000 Canadian children and their parents.

“The investigation identified a number of significant security shortcomings,” says Daniel Therrien, Privacy Commissioner of Canada. “We are pleased that VTech has implemented improvements to its security systems and policies to better protect children’s sensitive personal information.”

The Office of the Privacy Commissioner of Canada is satisfied that these measures are sufficient and will reduce the risk of a future breach.

The Commissioner’s office investigated the breach in cooperation with the U.S. Federal Trade Commission, which also announced today that it has reached a settlement with VTech. The office also collaborated with the Privacy Commissioner for Personal Data for Hong Kong, where VTech is headquartered. 

The breach occurred when an attacker exploited a well-known security vulnerability to hack into a VTech network and from there was able to gain access to other company networks. The compromised databases held information such as the names, birthdays, photos and voice recordings of children, as well as parents’ addresses and other account information.

The Privacy Commissioner’s investigation highlighted numerous security shortcomings related to system security testing and maintenance, internal access controls, cryptography protections and monitoring. For example, some information, such as names and password recovery questions and answers, was stored in an unencrypted format.

VTech also lacked a comprehensive overarching data security policy, which is essential for ensuring that safeguards remain adequate on an ongoing basis and that staff are aware of and comply with security policies and procedures.

The Privacy Commissioner’s investigation report highlights important lessons for other organizations that collect the personal information of children. In particular, heightened safeguards need to be in place to protect sensitive information from unauthorized access.

About the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy law.

See also:

Report of Findings – VTech Holdings Ltd.

Tips for individuals on Privacy and the Internet of Things

U.S. Federal Trade Commission News release

- 30 -

For more information:

NOTE: To help us respond more quickly, journalists are asked to please send requests for interviews or further information via e-mail.

Date modified: