Connected toy manufacturer improves safeguards to adequately protect children’s information

PIPEDA Report of Findings #2018-001

January 8, 2018

---

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Complaint

1. The complainant alleged that VTech Holdings Limited (“VTech” or the “respondent”) failed to safeguard the personal information of its customers, including children. Specifically, the complainant alleged that VTech’s servers were hacked and that, as a result, there was unauthorized access to customer information, potentially including the personal information of the complainant and/or his son.

Summary of investigation

Background

2. VTech is a manufacturer of electronic learning products for children (as well as the world's largest manufacturer of cordless phones). Headquartered in Hong Kong, the respondent has operations in 13 countries and regions.^{Footnote 1} VTech Technologies Canada Ltd. is the organization’s Canadian subsidiary.
3. In late November 2015, a number of media reports described a global data breach of VTech’s systems (the “breach”).  The respondent formally notified our Office of the breach in early December.
4. The complainant, who is a VTech customer and owns several of the respondent’s web-enabled toys (i.e., the “V.Reader Interactive E-Reading System" and the "Tote & Go Laptop WEB"), was concerned about the incident, as reported, and filed the current complaint with our Office.
5. VTech’s legal counsel commissioned a forensic investigation to determine the cause and extent of the Breach. VTech provided our Office with details of the findings of that investigation. Our investigation and this report were informed by: (i) representations from VTech, including in relation to the forensic findings; (ii) our Office’s own research; and (iii) interaction and collaboration with our international counterparts, the United States Federal Trade Commission and the Hong Kong Privacy Commissioner for Data Protection.

Details of the Breach

6. Between 12 and 29 November 2015, an unauthorized user gained access to several different VTech cyber environments. The attacker initially gained access to one VTech environment, located on a server hosted by a third party, using “SQL injection”. He then used various methods (including compromised local administrative credentials and valid passwords stored in a test environment) to gain privileges, move laterally between several environments, and ultimately access customer data in a live production environment. He then copied and exported certain of that data off VTech’s network.
7. VTech submitted that since it was unable to determine exactly what data had been exfiltrated by the attacker, it assumed that all data residing on compromised servers could have been accessed or copied. This data related to the following online websites and apps: (i) Learning Lodge (which allows customers to download apps, learning games, e-books and other educational content to their VTech products); (ii) Planet VTech (an “online world” designed for children); and (iii) Kid Connect (an app that allows children and parents to exchange voice and text messages, photos etc. between VTech devices and parents’ smartphones). The information in the databases associated with those environments (the “databases”) included the following:
   1. Parent account information - including name, email address, secret question and answer for password retrieval, IP address, mailing and billing address, last 4 digits of credit card and expiration date, download history, history of device purchases, and password.
   2. Information about children - including child's name, gender and birthdate, photos, voice recordings and chat messages (between parents and their children).
8. The breach affected over 316,000 Canadian children and over 237,000 Canadian adults (generally parents associated with those children).
9. VTech also confirmed that the account-related personal information of the complainant and his son could have been compromised via the breach.
10. The respondent noted that the databases did not contain credit card or other financial account information. For example, to complete the payment or check-out process for any downloads made via the Learning Lodge website, VTech customers are directed to a secure, third-party payment gateway. It also explained that the databases did not contain ID card numbers, Social Insurance Numbers, driving license numbers or other similar identifiers.
11. The unauthorized user has since been arrested and the accessed information recovered from his devices.
12. VTech explained its understanding that the unauthorized user intended only to highlight alleged vulnerabilities in VTech’s information security.^{Footnote 2} He shared certain accessed information with a reporter, who in turn provided some of that information to a security blogger, for validation purposes before going public. The information has since been taken offline. VTech made arrangements with the reporter’s agency and blogger to secure the return and/or deletion of all the information in question. VTech has no indication that the unauthorized user provided copies of, or access to, the subject information to anyone else, or that further disclosures of the information have occurred.

Safeguards Concerns

13. VTech claimed that it had already identified the need to conduct a risk assessment in respect of the compromised systems, and that certain aspects of that assessment had been scheduled but not yet completed in advance of the breach.
14. VTech also provided our Office with significant detail regarding the safeguards it had in place and the safeguard shortcomings which had been identified during the ensuing forensic investigation. The summary below is not exhaustive but outlines certain of the key issues that had been identified.

Testing and maintenance

15. The attacker accessed one of VTech’s networks using a well-known commonly exploited security vulnerability, namely SQL injection. VTech did not have a program of regular testing in place to identify such vulnerabilities. As a consequence, known mitigation strategies available to address this issue had not been implemented. It also lacked a regular program to ensure that software was up-to-date and patched to address known vulnerabilities.

Access controls

16. There were also deficiencies with regards to administrative-level access controls to the compromised environments, servers and databases – e.g., storage of production passwords in the test environment, sharing of accounts between staff, and local administrators having broad access across networks.

Cryptography

17. A number of issues were also identified with respect to cryptographic protection of the information under VTech’s control (i.e., data transformation and scrambling which requires decoding to be read – e.g., via encryption, hashing and salting). For example, certain information (including parent’s name, child’s name and gender, and security ‘question and answer’ pairs for password recovery) was stored in plaintext, and certain customer communications were transmitted in clear text (i.e., unencrypted). Customer passwords were stored using cryptographic methods that were well-known to be vulnerable. While other information (such as children’s photos, chat logs and voice recordings) was stored in encrypted format, the hacker was able to decrypt at least a portion of this data, as evidenced by information published online, using keys available within the compromised servers.

Logging and monitoring

18. VTech lacked sufficient host and network security logging and monitoring to detect potential threats or unauthorized/unusual activity (e.g., exfiltration of customer data off of its network). VTech explained that it had intended to implement an intrusion detection and prevention system, but had not yet done so prior to the breach.

Security Management Framework

19. Finally, while VTech had various policies and procedures in place to address specific privacy issues, VTech lacked a comprehensive overarching data security policy, associated training and a program for regular risk assessments and policy reviews.

Breach Response

20. In addition to hiring a forensic expert to analyse the cause and extent of the breach, and notifying our Office and other relevant authorities about the breach, VTech undertook steps to contain the breach, mitigate the risk to individuals whose information had been compromised, and improve safeguards with a view to minimizing the risk of a future breach.
21. VTech provided our Office with significant information regarding the measures that it put in place following the discovery of the breach. While we will not provide full details of those measures, so as not to undermine the safeguards implemented, the following is an outline of VTech’s remedial actions.

Containment

22. Upon learning of the breach from the media outlet that was about to report publically on the matter,^{Footnote 3} VTech took steps to initially contain it, including taking relevant databases, servers and websites offline and cleaning/rebuilding infected systems before going back online.

Risk to Affected Individuals

23. VTech took a number of steps to mitigate the risk to individuals whose personal information was compromised as a result of the breach. For example, users were notified both directly (emails to affected customers on 27 November 2015, which included general information about the breach and instructions regarding safety measures users could take to mitigate resulting risks) and indirectly, by way of press releases, social media and an FAQ page on its website. Users were required to change their passwords upon their first subsequent login. VTech also worked with law enforcement officials in various countries with a view to assisting investigations of the unlawful hack.

Risk of Future Breach

24. Both reactively and subsequent to regulatory intervention by privacy enforcement authorities, VTech implemented a number of remedial measures in response to the breach to mitigate the risk of a similar breach in future, including:
    1. Testing/maintenance: VTech implemented: (i) a regular, multifaceted testing protocol to identify potential system vulnerabilities; and (ii) an update/patch management program to mitigate the risk of known vulnerabilities.
    2. Administrative access controls: VTech has taken steps to limit the number of individuals with administrative access, and limited the scope of access available via individual accounts (e.g., to limit cross-network access of local administrators). They have also strengthened authentication controls (e.g., strong passwords) and put in place organizational measures to more strictly control the use of administrative accounts.
    3. Cryptography: VTech has implemented enhanced cryptography for stored information, as well as encryption for user information in transit via its websites and apps.
    4. Logging and monitoring: VTech has increased and centralized log event retention to assist with detecting and investigating unauthorized activities on its network. It has also restricted and now monitors outgoing traffic to the internet.
    5. Security Management Framework: VTech has implemented a new comprehensive data security policy, which provides for the creation of a Data Security Governance Board to ensure, among other things: (i) staff awareness via annual training regarding the policy and data security; (ii) policy compliance; and (iii) annual risk assessments, best-practice benchmarking and reviews so that the policy and associated data security measures remain adequate.
25. VTech asserted that these changes minimize the risk of recurrence of a breach by making it more difficult for a hacker to access VTech’s systems, compromise credentials, escalate privileges, move across the network and access customer information.

Application

26. In making our determinations, we applied Principles 4.7, 4.7.1, 4.7.2, and 4.7.3 of Schedule I of the Act.
27. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 further states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. It further provides that organizations shall protect personal information regardless of the format in which it is held. Principle 4.7.2 provides, in part, that the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information as well as the method of storage. More sensitive information should be safeguarded by a higher level of protection. Principle 4.7.3 also provides that the methods of protection should include: (a) physical measures, such as locked filing cabinets and restricted access to offices; (b) organizational measures, such as security clearances and limiting access on a “need-to-know” basis; and, (c) technological measures, such as the use of passwords and encryption.

Analysis

28. In our view, VTech did not implement adequate organizational and technological safeguards to protect customers’ personal information.
29. The level of safeguards must be commensurate with the sensitivity of the information in question, and informed by the potential risk of harm to individuals that could result from compromise of the data in question.
30. The data within VTech’s control, and compromised via the breach, included extensive personal information (e.g., name, date of birth, address, email address, and security question answers), which could be used for purposes of phishing or identity theft.
31. Furthermore, we note that VTech was in control of the personal information of millions of customers, with the information of over 500,000 Canadians, including over 300,000 Canadian children, compromised by the breach.
32. Finally, and perhaps most importantly, the data encompassed significant personal information of children, including details about their parents and where they live, along with the contents of photos, chat logs and voice recordings. This information, when taken together, could create rich profiles, and in the wrong hands, could subject children to unnecessary risk of being maliciously targeted. Luckily, that would not appear to have been the hacker’s motivation in this case, but the information in question was, nonetheless, highly sensitive given the potential harm that could have resulted to children, a vulnerable group.
33. In our view, given the sensitivity of the information under VTech’s control and the number of individuals affected, including children, VTech was required to have heightened safeguards in place to adequately protect against unauthorized access.
34. Given the technological and organizational deficiencies outlined in paragraphs 15-19 above, VTech clearly failed to ensure adequate safeguards — these failures were evident in the development, implementation, and subsequent maintenance of its web and information management program.
35. VTech should have had a program of regular testing and maintenance in place to identify and mitigate system vulnerabilities. As discussed above, in this case, the attacker was able to exploit a well-known design vulnerability, which had been left unmitigated by VTech.
36. Administrative account holders will often, by virtue of their role requirements, have greater access to information and systems modification capabilities. This renders administrative accounts a common target for hackers. It is therefore important to implement strict controls to limit administrative account access to those authorized individuals who require it. Organizations should also limit the access and privileges for each administrative account to those required for the role in question, including to ensure segmentation between data environments. As outlined above, VTech’s administrative access controls were inadequate — the attacker was able to leverage initial access to a test environment and a local administrative account to move between environments and ultimately gain access to sensitive information of customers and children from around the world.
37. Furthermore, VTech should have ensured that the sensitive information in question was protected by adequate cryptography. In this case, much of the information in question was either stored or transmitted without any cryptographic protection. Password cryptographic protection was inadequate, and encrypted data was left vulnerable by failing to adequately protect decryption keys.
38. Furthermore, VTech should have had a regular program of monitoring and logging to detect and mitigate threats like that which resulted in this breach.
39. Finally, VTech should have had a comprehensive security policy, including a program of regular training, compliance monitoring, risk-assessment and policy review to ensure adequate protection of the information within its control.
40. Ultimately therefore, in our view, VTech contravened Principle 4.7of the Act.
41. We are, however, satisfied that subsequent to the breach and interventions by our Office and that of our privacy enforcement counterparts, VTech implemented sufficient and timely measures (as outlined in paragraphs 20-25) to:
    1. contain the breach - e.g., by taking systems offline, resetting credentials of compromised administrative accounts,
    2. mitigate the risk to affected individuals - e.g., via prompt notification and password resets (noting in particular that VTech took the positive approach, in absence of certainty with respect to what information had been exfiltrated, of assuming that all data on compromised servers could have been accessed or copied), and
    3. mitigate the risk of a future breach - e.g., by implementing
       1. regular testing and maintenance/updates to identify and mitigate potential vulnerabilities;
       2. more robust and limited access controls;
       3. enhanced cryptographic practices to better protect the information under its control;
       4. increased monitoring and logging to detect potential threats; and
       5. a comprehensive security management framework to ensure staff awareness and compliance, as well as ongoing safeguards adequacy.
42. In coming to the determination that this matter has been resolved, our confidence was further enhanced by the fact that VTech has entered into a settlement with the United States Federal Trade Commission, which, among other things, requires that VTech implement a comprehensive data security program that will be subject to ongoing audits to ensure its continued adequacy.

Conclusion

43. Accordingly, we conclude that the matter is well-founded and resolved.