Last updated: 19:30, January 9, 2018 (HKT)
About VTech’s Settlement with the US Federal Trade Commission (FTC)
2. What settlement has VTech reached with the FTC?
4. What are the details of the settlement?
About the Re-opening of Learning Lodge
5. When did the Learning Lodge go back online?
6. What services are now back online?
7. What can I expect to see when I connect back to the Learning Lodge?
8. Can I delete my Learning Lodge account?
9. Can I register a new product on Learning Lodge account?
10. Can my product use the app store now?
12. What about PlanetVTech and other suspended websites?
About the incident
13. I have heard that there was a data breach on a VTech website – can you confirm if this is true?
14. What websites and services were affected?
15. When did you find out about the breach?
16. When did you inform customers and the public about the incident?
17. How many customers are affected?
18. Could you provide a breakdown of number of people affected by each country?
19. How did the hacker get into your database?
21. What kind of information is in the databases?
22. Was any credit card information stolen?
23. Why do you need to retain any customer information?
24. Is there anything I can do to better protect myself?
25. What is VTech doing to protect data stored on Kid Connect?
26. Has VTech informed its customers?
27. Has VTech reported the case to any authorities? Are you being investigated?
1. What is the FTC?
The Federal Trade Commission is an independent agency of the United States government that works to protect consumers. You can learn more about the Commission at www.ftc.gov.
2. What settlement has VTech reached with the FTC?
VTech made an announcement on Tuesday, January 9, 2018 HKT that we had reached a settlement with the FTC on behalf of two of our subsidiaries that ends a two-year investigation of a criminal cyber attack on our databases by a hacker in November 2015. In addition to resolving historical issues surrounding VTech’s data security measures, the settlement also addressed some technical notice and consent issues arising under the US’s Children’s Online Privacy Protection Act (COPPA).
3. Why did you settle now?
We settled the matter with the FTC at this time so that we could focus all our efforts on continuing to deliver world-class educational electronic toys to our customers and children – rather than have a legal process over events that took place two years ago drag on further.
4. What are the details of the settlement?
The details of the FTC settlement are available here, but in simple terms, VTech agreed to pay US$650,000 to settle charges related to technical violations of COPPA and previous weaknesses in our data security.
To be clear, we originally designed the Kid Connect messaging system in a way that ensured parents who purchased our products were fully aware of how the system worked, what information would be collected, and how they could control whom their children communicated with. However, the FTC alleged that the specific notification and parental consent verification practices did not align with the legal and technical requirements under COPPA. As part of the settlement, VTech agreed to remedy these concerns and adopt and independently verify certain data security measures.
It should be noted that we had already invested heavily in implementing more robust data security measures and also ensuring COPPA compliance in the period following the 2015 incident – long before the settlement.
5. When did the Learning Lodge go back online?
Key functions of Learning Lodge and the app store for selected products went back online on Saturday, January 23, 2016 HKT.
6. What services are now back online?
Customers of Learning Lodge connected products are now able to securely register accounts for new products, manage their existing accounts and change passwords. The Learning Lodge app store has also re-opened for all connected products. For the complete list of opened services, please refer to the table.
7. What can I expect to see when I connect back to the Learning Lodge?
For existing Learning Lodge customers using the Download Manager installed on a PC/Mac:
- Your Learning Lodge program will be automatically updated and installed on your computer
- You will be asked to change your password
- You also need to provide a parental consent for data collection from your children
For InnoTab/Storio MAX customers with an existing Learning Lodge account:
- You need to access “Parental Control” for a firmware update
- You will be asked to change your password
- You also need to provide a parental consent for data collection from your children
8. Can I delete my Learning Lodge account?
Yes. You can use either the Learning Lodge program or a web browser to do so. Please refer to the Learning Lodge download webpage of your region for detailed information. However, VTech will need to keep a copy of your account data for a time in order to be able to respond to potential legal inquiries regarding the breach. But VTech will not access or process that data other than to respond to such inquiries.
9. Can I register a new product on Learning Lodge account?
Customers of Learning Lodge connected products can now register their new products securely.
10. Can my product use the app store now?
All Learning Lodge connected products are now able to use the app store.
11. What about Kid Connect?
Kid Connect has been fully relaunched.
12. What about PlanetVTech and other suspended websites?
PlanetVTech and other suspended websites remain closed. We currently have no plan to re-open these websites and services.
- www.planetvtech.com
- www.lumibeauxreves.com
- www.planetvtech.fr
- www.vsmilelink.com
- www.planetvtech.de
- www.planetvtech.co.uk
- www.planetvtech.es
- www.proyectorvtech.es
- www.sleepybearlullabytime.com
- de.vsmilelink.com
- fr.vsmilelink.com
- uk.vsmilelink.com
- es.vsmilelink.com
13. I have heard that there was a data breach on a VTech website – can you confirm if this is true?
The information we have indicates that between November 12, 2015 and November 29, 2015, an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database, the PlanetVTech and V.Smile Link websites, and Kid Connect servers. Learning Lodge allows our customers to download learning games, e-books and other educational content to their VTech products. Kid Connect is a service that allows children and parents to exchange voice and text messages, photos, drawings and fun stickers between VTech tablets, DigiGo and parents’ smartphones. PlanetVTech and V.Smile Link were websites that provided interactive games for children.
14. What websites and services were affected?
VTech’s Learning Lodge app store customer database was affected and servers related to PlanetVTech, V.Smile Link and Kid Connect were accessed. As a precautionary measure, we suspended Learning Lodge, the Kid Connect service and the following websites on November 29, 2015 HKT whilst we conducted a thorough security assessment.
- www.planetvtech.com
- www.lumibeauxreves.com
- www.planetvtech.fr
- www.vsmilelink.com
- www.planetvtech.de
- www.planetvtech.co.uk
- www.planetvtech.es
- www.proyectorvtech.es
- www.sleepybearlullabytime.com
- de.vsmilelink.com
- fr.vsmilelink.com
- uk.vsmilelink.com
- es.vsmilelink.com
15. When did you find out about the breach?
We received an email from a journalist asking about the incident on November 23, 2015 EST. After receiving the email, we carried out an internal investigation and on November 24, 2015 detected that some irregular activity took place on our Learning Lodge website. Our investigation confirmed on November 26, 2015 HKT that a breach had occurred earlier that month. We immediately began a comprehensive check of the affected sites and have taken thorough actions against future attacks.
16. When did you inform customers and the public about the incident?
After confirming the facts surrounding the unauthorized access to our customer database, we published a statement on our global website on Friday, November 27, 2015 HKT outlining the details of the data breach. On the same day, we sent email notification of the incident to potentially affected Learning Lodge and Kid Connect account customers. Other potentially affected customers were notified later, as we found more information about the breach and determined what customers might have been affected. In addition:
- We published a second statement on Monday, November 30, 2015 HKT.
- A third press release with additional information was published on Thursday, December 3, 2015 HKT.
- A fourth statement about the re-opening of Learning Lodge was published on Monday, January 25, 2016 HKT.
17. How many customers are affected?
Our Learning Lodge, Kid Connect, PlanetVTech and V.Smile Link customers are affected. Here are the details:
a. Learning Lodge
In total 4,863,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected. Among those approximately 6.3 million kid profiles, approximately 1.2 million of them have Kid Connect service enabled. Kid profiles only include name, gender and birthdate.
b. PlanetVTech and V.Smile Link
There are 235,708 parent accounts and 227,705 kids’ profiles in PlanetVTech and V.Smile Link.
18. Could you provide a breakdown of number of people affected by each country?
According to our information, the approximate breakdown of Learning Lodge customers by country is as follows:
Country | Parent Accounts | Child Profiles |
United States | 2,221,863 | 2,894,091 |
France | 868,650 | 1,173,497 |
United Kingdom | 560,487 | 727,155 |
Germany | 390,985 | 508,806 |
Canada | 237,949 | 316,482 |
Others | 168,394 | 223,943 |
Spain | 115,155 | 138,847 |
Belgium | 102,119 | 133,179 |
Netherlands | 100,828 | 124,730 |
Republic of Ireland | 40,244 | 55,102 |
Latin America | 28,105 | 36,716 |
Australia | 18,151 | 23,096 |
Denmark | 4,504 | 5,547 |
Luxembourg | 4,190 | 5,014 |
New Zealand | 1,585 | 2,304 |
19. How did the hacker get into your database?
We cannot go into detail about the hack. What is clear is that this was a criminal act and a well-planned attack. Our Learning Lodge, Kid Connect, PlanetVTech and V.Smile Link databases have been attacked by a skilled hacker. Upon discovering the breach, we immediately began a comprehensive check of the affected sites and have taken thorough actions to protect against future attacks.
20. It is reported that the UK police arrested someone in connection with the hacking in December 2015. What is the progress of the police investigation?
On November 1, 2016, a 22-year-old man from Bracknell, Berkshire, in the United Kingdom was given a formal adult police caution, for unauthorised access to computer material (Section 1 of the UK Computer Misuse Action 1990). This was the result of a criminal investigation carried out by the South East Regional Organised Crime Unit’s (SEROCU) Cyber Crime Unit, into the breach of VTech’s databases in November 2015, which included data from the Learning Lodge app store, the PlanetVTech and V.Smile Link websites, and the Kid Connect service.
21. What kind of information is in the databases?
- Our databases contain Learning Lodge and Kid Connect data with details listed below:
a. Learning Lodge– Parent account information including name, email address, secret question and answer for password retrieval, IP address, mailing address, download history, history of device purchases and password.
– Kid profiles created by parents, including child’s name, gender and birthdate.
– Progress logs to track kids games, for parents’ reference.
b. Kid Connect
– Parent account information including email address and password, and parent and child profile photos and user names.
– Kid Connect chat and voice messages and photos (sent by kids or parents).
– Bulletin board postings made by parents and their children.
c. PlanetVTech
– Parent account information including name, email address, secret question and answer for password retrieval, mailing address, history of device purchases and password.
– Kid profiles created by parents, including child’s name, avatar name, password, gender and birthdate.
– Game score.
d. V.Smile Link
– Parent account information including name, email address, secret question and answer for password retrieval, mailing address, history of device purchases and password.
– Kid profiles created by parents, including child’s name, avatar name, password, gender and birthdate.
– Game score and played cartridges.
- Our databases do not contain credit card or debit card or other financial account numbers. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
- Our databases do not contain ID card numbers, Social Security numbers, driving license numbers or similar data.
22. Was any credit card information stolen?
No, our Learning Lodge website database does not contain credit or debit card or other financial account numbers, and VTech does not process or store customer credit or debit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
23. Why do you need to retain any customer information?
Learning Lodge allows our customers to download learning games, e-books and other educational content to their VTech products. Customers need to set up an account for such transactions. The information is used to identify the customer, market our content and track customers’ downloads.
In addition, children’s profile information is collected from parents and used by parents to identify their kids (e.g. they may have multiple kid accounts) and by VTech to customize the level of difficulties of the games in accordance with the child’s age group.
Certain Kid Connect messages, photos and bulletin board postings are stored by VTech to ensure that they are delivered and have been received by their intended recipients.
Game scores and progress logs are collected and provided to parents on demand, so they can keep track of their children’s learning progress through educational games.
24. Is there anything I can do to better protect myself?
We have been advising customers to immediately change their passwords and secret questions and answers on any other sites or services that may use the same password or secret question and answer as those formerly used on Learning Lodge, PlanetVTech or V.Smile Link. When you log in to the re-opened Learning Lodge site, you will be asked to create a new password.
25. What is VTech doing to protect data stored on Kid Connect?
We have reviewed our security protocols for Kid Connect and implemented additional measures to protect data transmitted and stored via that service. We also have deleted all Kid Connect bulletin board contents and unsent messages before we restarted the service. As noted above, Kid Connect has been fully relaunched.
26. Has VTech informed its customers?
Yes, we have communicated about the breach with our customers and the general public. In addition to email notifications to customers, we have posted statements and press releases on our website. We will add additional notices when appropriate.
Email has been set up to handle any enquiries as follows:
- US: vtechkids@vtechkids.com
- Canada: toys@vtechcanada.com
- France: explora_park@vtech3.websitedevsystem.com
- Germany: downloadmanager@vtech.de
- Netherlands: exp@vtech3.websitedevsystem.com
- Spain: informacion@vtech3.websitedevsystem.com
- UK: consumer_services@vtech3.websitedevsystem.com
- Australia and New Zealand: enquiriestoys_aunz@vtech3.websitedevsystem.com
- Hong Kong: corporate_mail@vtech3.websitedevsystem.com
- Other countries and regions: corporate_mail@vtech3.websitedevsystem.com
27. Has VTech reported the case to any authorities? Are you being investigated?
We have appointed data security legal specialists who are liaising with local authorities, including law enforcement agencies investigating the hacking incident.