Hacks are everywhere these days. But when this generation was younger, it wasn’t their toys being hacked.

But just this week that’s exactly what happened: VTech, the makers of several popular educational toys for children, had their company database infiltrated the company’s database last week. Initially it seemed like the hacker had made away with just the personally identifiable information from nearly five million families. But over the weekend it came out that they had also obtained children’s headshots, recordings, and chat logs from the database as well. Will this hack change how we feel about the Internet of Toys?

Photo Credit: Jez Page  cc
Photo Credit: Jez Page cc

Undoubtedly technological advancements have made for some innovative toys. But once toys are hackable, it seems like maybe there should be clearer lines in the sand about what kinds of data companies are collecting. As Motherboard reports:

Over the weekend, the hacker, who asked to remain anonymous, told me that VTech left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. This data is from the company’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet. In online tutorials, the company encourages parents and kids to take headshots and use them in their apps.

VTech did not respond to Motherboard’s request for clarifications as to why the company even stored this information on their servers in the first place.

…”Frankly, it makes me sick that I was able to get all this stuff,” the hacker told me in an encrypted chat. ”VTech should have the book thrown at them.”

Of course people in glass houses shouldn’t necessarily throw books at the people they hack, but they do have a point: Why was VTech storing all these files on the kids and families they serve?

It’s similar to the Ashley Madison attack; a company retaining a lot more information on their servers than consumers might’ve originally thought. Only this time instead of adults who are knowingly giving out their information (if not knowing that the information would be retained) it’s children, who likely don’t know what the toy’s function is. And with the Internet of Things making its way onto the shelves of toy stores, it might be time to figure out where the responsibility in these situations lie.

As Dina Epstein wrote for Retail & Consumer Products, it’s a changing world that the parents have to be very attuned to:

But, as these new frontiers of play develop, manufacturers and marketers need to work to ensure that we can strike a balance between innovative play and children’s safety and privacy. And the lines aren’t always clear.

For example, under the Children’s Online Privacy Protection Act (COPPA), any online entity that is collecting personal information from children under 13 is required to meet certain obligations with respect to privacy, parental notice, and consent.  But COPPA likely did not anticipate an ongoing, interactive information-sharing exchange between young children and their toys.

So, in this new world of highly technological and interactive toys that can gather information and transmit it through the cloud, what does parental consent for information collection look like?

In this case, the hacker has told Motherboard that they have no plans to publish or sell the data. But parents shouldn’t have to count on the good nature of hackers to protect the information they steal. Whether the VTech hack will spark a change to how we tinker with the Internet of Toys, we’ll have to see. But this Christmas, it’s worth double checking the toys under the tree.