By Andrew Blake
March 7, 2017
The Senate Commerce Committee’s top Democrat demanded answers from a toy manufacturer on Tuesday after a data breach was said to affect nearly a million users of its high-tech brand of teddy bears.
Sen. Bill Nelson, Florida Democrat, asked Spiral Toys’ top executive on Tuesday to provide specific details about the company’s security practices after it was reported that hackers repeatedly gained access to databases containing sensitive customer information including millions of personalized audio recordings meant for children.
Spiral Toys is the maker of CloudPets, a line of Wi-Fi- and Bluetooth-enabled teddy bears intended for customers to “send [and] receive messages you can hug from anywhere in the world,” as advertised on its website. Owners are instructed upon purchase to record greetings with their smartphones that are then sent over the internet, downloaded by a device near the toy and transmitted wirelessly to am embedded speaker the ultimately broadcasts the greeting.
Nearly 2.2 million of those audio messages were recently exposed to the world after they were stored on a poorly protected, public-facing database that was accessed by hackers and held for ransom, security researcher Troy Hunt reported last week, in addition to data pertaining to roughly 820,000 user accounts.
“The breach of Spiral Toys raises serious questions concerning how well your company protects the information it collects, especially information collected from children,” Mr. Nelson wrote in Tuesday’s letter to Spiral Toys CEO Mark Meyers.
Furthermore, he added, the breach raises questions concerning the company’s compliance with the Children’s Online Privacy Protection Act (COPPA), a federal law requiring certain companies to “establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children.”
The senator’s letter requests a response from Spiral Toys no later than March 23 with regards to over a full page of questions concerning the data breach as well as any security practices implemented before or after Mr. Hunt’s report last week.
Spiral Toys downplayed allegations concerning the supposed severity of the data breach last week and claimed no audio recordings were stolen from its exposed databases. Nonetheless, the company filed a notice with the California Attorney General’s Office last Tuesday that said it intended to plan the state with further details of the breach as required by its data breach reporting law.
In a statement, Mr. Nelson’s office said the incident “underscores growing concern from lawmakers and consumer advocates over the security and privacy risks associated with internet-connected toys.”
The Senate Commerce Committee previously issued a report in December 2016 amid concerns involving the privacy risks associated with internet-connected toys, and said then parents should “make efforts to learn about the ways in which a toy maker collects, uses, and secures data — and reject connected toys that do not provide this information.”