Lawmakers press toymaker for hack details

Lawmakers press toymaker for hack details
© Getty Images

A bipartisan pair of lawmakers is pressing digital toymaker VTech for answers on how it collects and locks down children’s information after the company acknowledged that a hack had exposed over 6.3 million kids' data.

“This breach raises a number of concerns,” wrote Sen. Ed MarkeyEdward (Ed) John MarkeyDemocrats lay into Trump's pick of Bolton for national security adviser Dem senator on Bolton hire: Trump is 'lining up his war cabinet' Trump replaces McMaster with Bolton as national security adviser MORE (D-Mass.) and Rep. Joe BartonJoe Linus BartonCongress may pass background check legislation in funding bill Overnight Cybersecurity: Former Equifax exec charged with insider trading | Dems blast GOP over House Russia probe | Lawmakers weigh security of energy infrastructure Five things to watch for in Texas primaries MORE (R-Texas), who both founded the Congressional Privacy Caucus when Markey was still in the House and have long advocated for children’s digital privacy.

VTech has said the information exposed for children only included names, gender and birthdates. But 5 million parent accounts were also exposed in the intrusion, compromising mailing and email addresses, security questions used for password resets, IP addresses, passwords and download histories.

Security experts who have reviewed the data say the pilfered information on children can be linked with their parents’ data, thereby revealing the kids’ full addresses and other information.

Markey and Barton said these reports raise concerns about how VTech is complying with the Children’s Online Privacy Protection Act (COPPA), the major federal law dictating how companies must handle children’s digital data.

The pair noted that the COPPA requires companies such as VTech to obtain consent from parents before collecting data on their children. These firms also must “take reasonable steps” to protect this data.

In a series of questions, Markey and Barton pressed VTech to explain exactly how it obtained the data that was stolen, and what steps — such as encryption — it uses to lock it down.

The lawmakers have requested a response by Jan. 8.