VTech hack: Microsoft security researcher Troy Hunt slams 'grossly negligent' security approach

Troy Hunt, security developer and avid researcher of cyber-breaches, has publicly criticised technology manufacturer VTech for its stance on security. In a scathing blog post, Hunt criticises the firm's updated terms and conditions (T&Cs), which were recently unveiled following a massive data breach last year.

The hack, which occurred in November, hit VTech's app-store database, known as Learning Lodge, and resulted in the loss of a slew of customer data of parents and children from countries across the globe, including the US, UK, Germany and China. Traditionally viewed as a toy manufacturer, VTech has, for better or worse, since touted a move into home security. "We are committed to protecting our customer information and their privacy to ensure against any such incidents in the future," the firm said following the breach.

Yet now, in its derided T&Cs, Hunt, who has been awarded Microsoft's lauded Most Valuable Professional (MVP) for Developer Security, notes that VTech has essentially placed the entire burden of security on the end user, which is the opposite position of most security-conscious firms. In short, the conditions now say that users browse the website and use the software at their "own risk".

"You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded therefrom. You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted," states the updated T&Cs.

"Grossly negligent"

According to Hunt, the position held by VTech lacks responsibility. "I'm the first person to acknowledge that there are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility," he said.

"Certainly that's the expectation of the customer – that the information they provide will remain secure – and VTech cannot simply just absolve themselves of that responsibility in their terms and conditions. People don't even read these things! If they honestly don't feel they're not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the 'zero accountability' clause."

Noting VTech's move into home security, Hunt added: "I wonder if they set the same expectations around their home-security products perhaps not actually being secure. The bigger picture here is that companies are building grossly negligent software – not just one mistake in otherwise well-written software – and then simply not being held accountable when it all goes wrong."

IBTimes.co.uk has contacted VTech for additional comment and is awaiting a response.