Stephan Zouras, LLP Pursues Data Breach Claims Against Vtech

Tuesday, December 15 - 2015

In what has been described as a “parent’s nightmare of epic proportions,” more than ten million parents, legal guardians, and minor children (“VTech Customers”) became the victims of a massive data breach, when their personally identifiable information (“PII”) was accessed and downloaded from VTech’s servers by a hacker on or about November 14, 2015 (the “Data Breach”). The Data Breach is the fourth largest consumer data breach to date, and is the largest known data breach involving the personal information of minor children.
 
The Data Breach resulted in the disclosure of registered adult VTech Customers’ sensitive PII, including their names, addresses, email addresses, IP addresses, passwords, and secret questions and answers. It also resulted in the disclosure of associated minor children’s names, genders, and birthdays. In addition, the Data Breach also exposed tens of thousands of photographs of children and their parents or other trusted adults—more than 190 GB of photographs—as well as audio files and a year’s worth of chat logs between minor children and their parents or other trusted adults. Most if not all of these photographs, recordings, and logs can be traced back to specific usernames, so that anyone in possession of the hacked data can identify who is in a given photograph, recording, or chat log.
 
The Data Breach puts registered adult VTech Customers whose sensitive PII was compromised at increased risk of identity theft for years, and potentially for a lifetime, because names, legal relationships, facial characteristics, vocal characteristics, and truthful answers to many standard security questions are difficult to change.
 
Even worse, the information compromised in the Data Breach is linked to additional extensive information about the minor children, including their age, gender, facial and vocal characteristics, which places these VTech Customers at increased risk of exposure to criminal acts of child predators. As one security expert observed, “people who prey on children—now have the ability to get basic information about them—where they live, what they look like,” cautioning that “this lapse of security” would potentially allow such predators to gain the trust of children whose information was compromised. Another security expert has expressed similar concerns: “When [the data] includes their parents as well—along with their home address—and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question),’ I start to run out of superlatives to even describe how bad that is.”
 
Cybercriminals were able to perpetrate a breach of this depth and scope because VTech failed to maintain reasonable and adequate security measures to protect the information of VTech Customers using VTech’s services from access and disclosure. Among other things, VTech failed to: (1) implement security measures designed to prevent this attack; (2) employ security protocols to detect the breach and removal of more than 190 GB of data from its computer networks; and (3) maintain basic security measures such as encryption, which would have ensured that, in the event data were accessed or stolen, it would be unreadable and thus cause less damage to VTech Customers and their families.
 
To make matters worse, following the breach, VTech failed to detect the unauthorized access of data from its servers, until it was contacted by Motherboard, a news organization investigating the story. Even then, VTech failed to respond or notify its customers for several days after being notified by Motherboard. Ultimately, VTech responded to Motherboard on Thursday, November 26, confirming that “an unauthorized party accessed VTech customer data,” and that VTech was “not aware of this unauthorized access until [Motherboard] alerted us.” VTech then announced the breach by press release on Friday, November 27, but failed to disclose the severity of the breach, including the number of records that were accessed or the fact that the PII of minor children was compromised. As a result VTech left its customers in the dark about the scope of the breach, how they and their families were impacted, and what steps VTech is taking to remedy or mitigate the breach.
 
If you or someone you know has purchased a VTech product or registered for an account and would like more information on your rights, please contact us at (312) 233-1550 or lawyers@stephanzouras.com.

For more information on your rights, contact us

Back to News and Media »