Consumer electronics firm VTech has changed its T&Cs following a major data breach last year in an apparent attempt to shift liability for future security incidents onto its customers.
The Hong Kong-based firm revealed last November that an “unauthorized party” accessed customer data held in its Learning Lodge app store database, exposing customers’ names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download history.
The firm never revealed how many customers had been affected, but some estimates put the figure at over five million, including the details of some children.
However, Microsoft security MVP Troy Hunt revealed this week that VTech updated its terms and conditions on Christmas Eve.
The Limitation of Liability section now includes the following, in caps:
“YOU ACKNOWLEDGE AND AGREE THAT YOU ASSUME FULL RESPONSIBILITY FOR YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES. YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM IS AT YOUR OWN RISK.”
Hunt argued that the incident was not, as VTech claimed, an “orchestrated and sophisticated attack,” claiming that it stemmed from a SQL injection flaw – one of the most common and easiest to fix.
Numerous other security oversights included unsalted MD5 password hashes, a lack of SSL encryption and “massively outdated web frameworks,” he argued.
A VTech spokeswoman stood by the updated T&Cs.
"Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information. But no company that operates online can provide a 100% guarantee that it won't be hacked,” she told the BBC.
"The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognize that fact by limiting the company's liability for the acts of third parties such as hackers. Such limitations are commonplace on the web."
But cybersecurity experts were quick to condemn VTech’s move.
Pat Clawson, CEO of Blancco Technology Group, argued it was the perfect example of what not to do following a data breach.
“It’s not only a bad business practice, but it’s also taking the implied stance that as a company, VTech doesn’t understand the importance of managing data holistically across the entire lifecycle,” he argued.
“What parent would feel even remotely comfortable buying a toy from a company that blatantly and unapologetically tells them they shouldn’t have any expectation of privacy?”
Lieberman Software VP of product strategy, Jonathan Lieberman, argued VTech’s stance is set to become the norm as firms look to limit their liability in case of cybercrime.
“If you’re not going to sit and read the dozens of pages of legal language, make sure you minimize the exposure of your information. Does this site really need your real date of birth – or just one that says you’re old enough?” he argued.
“Do you maintain a few different email addresses so you can use them at different services? Can you use a super complex password unique to this site and just let the browser remember it for you?”
Ironically, VTech now also sells home security systems.