Toymaker VTech Waves Away Security Responsibilities After Major Breach

Following a comprehensive breach that saw the details of nearly 6.3 million kids stolen, internet-connected toymaker VTech has now revealed a clause in its Terms and Conditions that allows the toymaker to brush away any responsibility in the event of a future breach.

Toymaker VTech has relaunched its application, a full two months after attackers breached the company’s servers and website to steal the personal details of millions of customers and children.

In an email to millions of customers, VTech President King Pang stated:

After further strengthening our data protection, the Learning Lodge service is now back online. We are committed to the privacy and protection of the information you entrust with VTech.

While the relaunch sees some much-needed updates to the website’s security framework, it also contains a clause that is tucked away under the ‘Limitation of Liability’ section of the website’s terms of service.

The terms state:

You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.

Fundamentally, VTech is telling customers that they do not have any grounds to complaint in the event of a breach since they agreed that it isn’t secure.

The new revised terms were discovered by Vice journalist Lorenzo Franceschi-Bicchierai, the same writer who also broke the news of the breach last year.

The journalist revealed that it remains unclear as to when the new revision to the terms occurred. The document revealed that it was updated on December 24, 2015, nearly a month after the news of the hack broke.

The reaction to the terms among the security community was swift. Speaking to the publication, Rik Ferguson, vice president of security research at Trend Micro stated the clause is “outrageous, unforgivable, ignorant, opportunistic, and indefensible.” Furthermore, law professors revealed that they had never seen such a clause blatantly inserted into a company’s terms.

The clause is unlikely to hold any legal bearing in a number of countries across Europe as well as the United States.