FTC settles COPPA data breach with toy company, VTech
Electronic toy manufacturer VTech Electronics Limited and its U.S. subsidiary have agreed to settle charges by the Federal Trade Commission that the company violated a U.S. children’s privacy law by collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected. VTech will pay $650,000 as part of the settlement with the FTC. The root cause of the breach, by VTech's own admission, was lack of database security. The attacker was able to leverage a SQL Injection (SQLi) vulnerability in order to steal the data. Though a preventable security vulnerability was at the core of the VTech data breach, the FTC's complaint and settlement with VTech is largely focused on COPPA compliance. The FTC complaint alleges that VTech did not properly alert parents about privacy policies or that personal information was being collected from children.
More details https://www.ftc.gov/news-events/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations-it-violated