Corporate

FAQ about Cyber Attack on VTech Learning Lodge (last updated: 19:30, January 9, 2018, HKT)

2018/01/09

Last updated: 19:30, January 9, 2018 (HKT)

About VTech’s Settlement with the US Federal Trade Commission (FTC)

1. What is the FTC?

2. What settlement has VTech reached with the FTC?

3. Why did you settle now?

4. What are the details of the settlement?

 

About the Re-opening of Learning Lodge

5. When did the Learning Lodge go back online?

6. What services are now back online?

7. What can I expect to see when I connect back to the Learning Lodge?

8. Can I delete my Learning Lodge account?

9. Can I register a new product on Learning Lodge account?

10. Can my product use the app store now?

11. What about Kid Connect?

12. What about PlanetVTech and other suspended websites?

 

About the incident

13. I have heard that there was a data breach on a VTech website – can you confirm if this is true?

14. What websites and services were affected?

15. When did you find out about the breach?

16. When did you inform customers and the public about the incident?

17. How many customers are affected?

18. Could you provide a breakdown of number of people affected by each country?

19. How did the hacker get into your database?

20. It is reported that the UK police arrested someone in connection with the hacking in December 2015. What is the progress of the police investigation?

21. What kind of information is in the databases?

22. Was any credit card information stolen?

23. Why do you need to retain any customer information?

24. Is there anything I can do to better protect myself?

25. What is VTech doing to protect data stored on Kid Connect?

26. Has VTech informed its customers?

27. Has VTech reported the case to any authorities? Are you being investigated?

 

1. What is the FTC?

The Federal Trade Commission is an independent agency of the United States government that works to protect consumers. You can learn more about the Commission at www.ftc.gov.

Back to top

2. What settlement has VTech reached with the FTC?

VTech made an announcement on Tuesday, January 9, 2018 HKT that we had reached a settlement with the FTC on behalf of two of our subsidiaries that ends a two-year investigation of a criminal cyber attack on our databases by a hacker in November 2015. In addition to resolving historical issues surrounding VTech’s data security measures, the settlement also addressed some technical notice and consent issues arising under the US’s Children’s Online Privacy Protection Act (COPPA).

Back to top

3. Why did you settle now?

We settled the matter with the FTC at this time so that we could focus all our efforts on continuing to deliver world-class educational electronic toys to our customers and children – rather than have a legal process over events that took place two years ago drag on further.

Back to top

4. What are the details of the settlement?

The details of the FTC settlement are available here, but in simple terms, VTech agreed to pay US$650,000 to settle charges related to technical violations of COPPA and previous weaknesses in our data security.

To be clear, we originally designed the Kid Connect messaging system in a way that ensured parents who purchased our products were fully aware of how the system worked, what information would be collected, and how they could control whom their children communicated with. However, the FTC alleged that the specific notification and parental consent verification practices did not align with the legal and technical requirements under COPPA. As part of the settlement, VTech agreed to remedy these concerns and adopt and independently verify certain data security measures.

It should be noted that we had already invested heavily in implementing more robust data security measures and also ensuring COPPA compliance in the period following the 2015 incident – long before the settlement.

Back to top

5. When did the Learning Lodge go back online?

Key functions of Learning Lodge and the app store for selected products went back online on Saturday, January 23, 2016 HKT.

Back to top

6. What services are now back online?

Customers of Learning Lodge connected products are now able to securely register accounts for new products, manage their existing accounts and change passwords. The Learning Lodge app store has also re-opened for all connected products. For the complete list of opened services, please refer to the table.

Back to top

7. What can I expect to see when I connect back to the Learning Lodge?

For existing Learning Lodge customers using the Download Manager installed on a PC/Mac:

  • Your Learning Lodge program will be automatically updated and installed on your computer
  • You will be asked to change your password
  • You also need to provide a parental consent for data collection from your children

For InnoTab/Storio MAX customers with an existing Learning Lodge account:

  • You need to access “Parental Control” for a firmware update
  • You will be asked to change your password
  • You also need to provide a parental consent for data collection from your children

Back to top

8. Can I delete my Learning Lodge account?

Yes. You can use either the Learning Lodge program or a web browser to do so. Please refer to the Learning Lodge download webpage of your region for detailed information. However, VTech will need to keep a copy of your account data for a time in order to be able to respond to potential legal inquiries regarding the breach. But VTech will not access or process that data other than to respond to such inquiries.

Back to top

9. Can I register a new product on Learning Lodge account?

Customers of Learning Lodge connected products can now register their new products securely.

Back to top

10. Can my product use the app store now?

All Learning Lodge connected products are now able to use the app store.

Back to top

11. What about Kid Connect?

Kid Connect has been fully relaunched.

Back to top

12. What about PlanetVTech and other suspended websites?

PlanetVTech and other suspended websites remain closed. We currently have no plan to re-open these websites and services.

  • www.planetvtech.com
  • www.lumibeauxreves.com
  • www.planetvtech.fr
  • www.vsmilelink.com
  • www.planetvtech.de
  • www.planetvtech.co.uk
  • www.planetvtech.es
  • www.proyectorvtech.es
  • www.sleepybearlullabytime.com
  • de.vsmilelink.com
  • fr.vsmilelink.com
  • uk.vsmilelink.com
  • es.vsmilelink.com

Back to top

13. I have heard that there was a data breach on a VTech website – can you confirm if this is true?

The information we have indicates that between November 12, 2015 and November 29, 2015, an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database, the PlanetVTech and V.Smile Link websites, and Kid Connect servers. Learning Lodge allows our customers to download learning games, e-books and other educational content to their VTech products. Kid Connect is a service that allows children and parents to exchange voice and text messages, photos, drawings and fun stickers between VTech tablets, DigiGo and parents’ smartphones. PlanetVTech and V.Smile Link were websites that provided interactive games for children.

Back to top

14. What websites and services were affected?

VTech’s Learning Lodge app store customer database was affected and servers related to PlanetVTech, V.Smile Link and Kid Connect were accessed. As a precautionary measure, we suspended Learning Lodge, the Kid Connect service and the following websites on November 29, 2015 HKT whilst we conducted a thorough security assessment.

  • www.planetvtech.com
  • www.lumibeauxreves.com
  • www.planetvtech.fr
  • www.vsmilelink.com
  • www.planetvtech.de
  • www.planetvtech.co.uk
  • www.planetvtech.es
  • www.proyectorvtech.es
  • www.sleepybearlullabytime.com
  • de.vsmilelink.com
  • fr.vsmilelink.com
  • uk.vsmilelink.com
  • es.vsmilelink.com

Back to top

15. When did you find out about the breach?

We received an email from a journalist asking about the incident on November 23, 2015 EST. After receiving the email, we carried out an internal investigation and on November 24, 2015 detected that some irregular activity took place on our Learning Lodge website. Our investigation confirmed on November 26, 2015 HKT that a breach had occurred earlier that month. We immediately began a comprehensive check of the affected sites and have taken thorough actions against future attacks.

Back to top

16. When did you inform customers and the public about the incident?

After confirming the facts surrounding the unauthorized access to our customer database, we published a statement on our global website on Friday, November 27, 2015 HKT outlining the details of the data breach. On the same day, we sent email notification of the incident to potentially affected Learning Lodge and Kid Connect account customers. Other potentially affected customers were notified later, as we found more information about the breach and determined what customers might have been affected. In addition:

  • We published a second statement on Monday, November 30, 2015 HKT.
  • A third press release with additional information was published on Thursday, December 3, 2015 HKT.
  • A fourth statement about the re-opening of Learning Lodge was published on Monday, January 25, 2016 HKT.

Back to top

17. How many customers are affected?

Our Learning Lodge, Kid Connect, PlanetVTech and V.Smile Link customers are affected. Here are the details:

a. Learning Lodge

In total 4,863,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected. Among those approximately 6.3 million kid profiles, approximately 1.2 million of them have Kid Connect service enabled. Kid profiles only include name, gender and birthdate.

b. PlanetVTech and V.Smile Link

There are 235,708 parent accounts and 227,705 kids’ profiles in PlanetVTech and V.Smile Link.

Back to top

18. Could you provide a breakdown of number of people affected by each country?

According to our information, the approximate breakdown of Learning Lodge customers by country is as follows:

Country Parent Accounts Child Profiles
United States 2,221,863 2,894,091
France 868,650 1,173,497
United Kingdom 560,487 727,155
Germany 390,985 508,806
Canada 237,949 316,482
Others 168,394 223,943
Spain 115,155 138,847
Belgium 102,119 133,179
Netherlands 100,828 124,730
Republic of Ireland 40,244 55,102
Latin America 28,105 36,716
Australia 18,151 23,096
Denmark 4,504 5,547
Luxembourg 4,190 5,014
New Zealand 1,585 2,304

Back to top

19. How did the hacker get into your database?

We cannot go into detail about the hack. What is clear is that this was a criminal act and a well-planned attack. Our Learning Lodge, Kid Connect, PlanetVTech and V.Smile Link databases have been attacked by a skilled hacker. Upon discovering the breach, we immediately began a comprehensive check of the affected sites and have taken thorough actions to protect against future attacks.

Back to top

20. It is reported that the UK police arrested someone in connection with the hacking in December 2015. What is the progress of the police investigation?

On November 1, 2016, a 22-year-old man from Bracknell, Berkshire, in the United Kingdom was given a formal adult police caution, for unauthorised access to computer material (Section 1 of the UK Computer Misuse Action 1990). This was the result of a criminal investigation carried out by the South East Regional Organised Crime Unit’s (SEROCU) Cyber Crime Unit, into the breach of VTech’s databases in November 2015, which included data from the Learning Lodge app store, the PlanetVTech and V.Smile Link websites, and the Kid Connect service.

Back to top

21. What kind of information is in the databases?

  • Our databases contain Learning Lodge and Kid Connect data with details listed below:
    a. Learning Lodge

    – Parent account information including name, email address, secret question and answer for password retrieval, IP address, mailing address, download history, history of device purchases and password.

    – Kid profiles created by parents, including child’s name, gender and birthdate.

    – Progress logs to track kids games, for parents’ reference.

    b. Kid Connect

    – Parent account information including email address and password, and parent and child profile photos and user names.

    – Kid Connect chat and voice messages and photos (sent by kids or parents).

    – Bulletin board postings made by parents and their children.

    c. PlanetVTech

    – Parent account information including name, email address, secret question and answer for password retrieval, mailing address, history of device purchases and password.

    – Kid profiles created by parents, including child’s name, avatar name, password, gender and birthdate.

    – Game score.

    d. V.Smile Link

    – Parent account information including name, email address, secret question and answer for password retrieval, mailing address, history of device purchases and password.

    – Kid profiles created by parents, including child’s name, avatar name, password, gender and birthdate.

    – Game score and played cartridges.

  • Our databases do not contain credit card or debit card or other financial account numbers. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
  • Our databases do not contain ID card numbers, Social Security numbers, driving license numbers or similar data.

Back to top

22. Was any credit card information stolen?

No, our Learning Lodge website database does not contain credit or debit card or other financial account numbers, and VTech does not process or store customer credit or debit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.

Back to top

23. Why do you need to retain any customer information?

Learning Lodge allows our customers to download learning games, e-books and other educational content to their VTech products. Customers need to set up an account for such transactions. The information is used to identify the customer, market our content and track customers’ downloads.

In addition, children’s profile information is collected from parents and used by parents to identify their kids (e.g. they may have multiple kid accounts) and by VTech to customize the level of difficulties of the games in accordance with the child’s age group.

Certain Kid Connect messages, photos and bulletin board postings are stored by VTech to ensure that they are delivered and have been received by their intended recipients.

Game scores and progress logs are collected and provided to parents on demand, so they can keep track of their children’s learning progress through educational games.

Back to top

24. Is there anything I can do to better protect myself?

We have been advising customers to immediately change their passwords and secret questions and answers on any other sites or services that may use the same password or secret question and answer as those formerly used on Learning Lodge, PlanetVTech or V.Smile Link. When you log in to the re-opened Learning Lodge site, you will be asked to create a new password.

Back to top

25. What is VTech doing to protect data stored on Kid Connect?

We have reviewed our security protocols for Kid Connect and implemented additional measures to protect data transmitted and stored via that service. We also have deleted all Kid Connect bulletin board contents and unsent messages before we restarted the service. As noted above, Kid Connect has been fully relaunched.

Back to top

26. Has VTech informed its customers?

Yes, we have communicated about the breach with our customers and the general public. In addition to email notifications to customers, we have posted statements and press releases on our website. We will add additional notices when appropriate.

Email has been set up to handle any enquiries as follows:

Back to top

27. Has VTech reported the case to any authorities? Are you being investigated?

We have appointed data security legal specialists who are liaising with local authorities, including law enforcement agencies investigating the hacking incident.

Back to top

Download

This site uses cookies to store information on your computer/device.

Some of these cookies are essential, while others help us to improve your experience by providing insights into how the site is being used. For more detailed information about the cookies we use, please see our Cookie Policy.