Lawmakers press toymaker for hack details

A bipartisan pair of lawmakers is pressing digital toymaker VTech for answers on how it collects and locks down children’s information after the company acknowledged that a hack had exposed over 6.3 million kids’ data.

“This breach raises a number of concerns,” wrote Sen. Ed Markey (D-Mass.) and Rep. Joe Barton (R-Texas), who both founded the Congressional Privacy Caucus when Markey was still in the House and have long advocated for children’s digital privacy.

{mosads}VTech has said the information exposed for children only included names, gender and birthdates. But 5 million parent accounts were also exposed in the intrusion, compromising mailing and email addresses, security questions used for password resets, IP addresses, passwords and download histories.

Security experts who have reviewed the data say the pilfered information on children can be linked with their parents’ data, thereby revealing the kids’ full addresses and other information.

Markey and Barton said these reports raise concerns about how VTech is complying with the Children’s Online Privacy Protection Act (COPPA), the major federal law dictating how companies must handle children’s digital data.

The pair noted that the COPPA requires companies such as VTech to obtain consent from parents before collecting data on their children. These firms also must “take reasonable steps” to protect this data.

In a series of questions, Markey and Barton pressed VTech to explain exactly how it obtained the data that was stolen, and what steps — such as encryption — it uses to lock it down.

The lawmakers have requested a response by Jan. 8.