VTech: Data Hack Exposes 10 million children and Adults (2015)

Founded in Hong Kong, China, in 1976, VTech initially began developing video games in the 1970’s. The company originally sold their video game products to international companies like RadioShack. The more products the company created, the bigger their brand grew. In 1985, VTech started developing the first digital cordless telephones. In 2000, they signed a contract giving them exclusive rights to use the AT&T brand in conjunction with the manufacturing and sale of wireless telephones and accessories in North America. Today, VTech produces mainly cordless phones and electronic learning devices, selling them across the world, in North America, Europe, Asia, Latin America, the Middle East, and Africa.

In 2015, VTech “exposed the data of 6.4 million” (CNBC), including children using the products, as well as the parents who purchased them. The unnamed attacker contacted the Vice Magazine about VTech’s security vulnerabilities, and gave a detailed account of the breach. After clarifying that the attack was authentic, it was determined that VTech’s servers failed to utilize basic SSL encryption to secure the stored personal data. This allowed the attackers to access unencrypted passwords, photographs, chat logs, and voice recordings of the children and their parents. VTech’s corporate security was unaware their servers had been hacked until they were contacted by the Vice Magazine themselves.

Once alerted, the company immediately shut off dozens of online servers and websites. Then, they informed their customers about the 4.8 million accounts belonging to parents and 6.3 million accounts belonging to children that had been compromised. The company then stated that the released information was encrypted, although the original reports from the attacker stated otherwise. VTech hired an information security service company, FireEye, to manage any further incidents regarding stolen information. In 2016, a publication was released explaining that VTech had modified its Terms and Conditions for customers, stating that information transmitted to VTech may be intercepted or later acquired by unauthorized parties.

            VTech’s data breach affected millions around the globe. The stakeholders in this case include the children that used the product, the parents that purchased the product, RadioShack and other companies that distributed that product, and VTech themselves as an organization. The children and parents are directly affected as their private information was leaked. RadioShack and other distributors are affected as their brand image will be moderately damaged as they are affiliated with VTech and have distributed and supported their products. Finally, VTech themselves are stakeholders, as their brand image was severally impacted by the incident.

Friedman’s Individualism states that “The only goal of business is to profit, so the only obligation that the business person has is to maximize profit for the owner or the stockholder” (Individualism PowerPoint Slide #2). According to Friedman, VTech is not ethically wrong for having poor security for their customer servers. Friedman would argue that VTech’s only care should be about making profits, which they had done a great job of up until the fiasco. After the incident, the company changed their Terms and Conditions in order to avoid any further liability, in turn saving money for the company.

Utilitarianism is the foundational idea that “happiness or pleasure are the only things of intrinsic value… [and] we ought to bring about happiness and pleasure in all beings capable of feeling it” (Utilitarianism PowerPoint Slide 1). According to Utilitarianism, VTech would be ethically wrong for having poor security for their servers. VTech caused various problems for millions of customers, which negatively impacted their happiness and pleasure, which goes strictly against the values of Utilitarianism.

            The basic principles of Kantianism include: “acting rationally, respecting people, their autonomy and individual needs and differences” (Kantianism PowerPoint Slide 1), and be motivated to do what is right, simply because it is the right thing to do. According to Kantianism, VTech would be acting unethically, as even though they may have acted rationally, they did not do what is right. The company issued an FAQ, expressing their empathy and explain what information was released, although they failed to improve their security systems. The company’s simply change of the Terms and Conditions has allowed them to continue to have weak security without any liability, which is the wrong thing to do. If the company wanted to comply to Kant’s ethical theory than they must spend time and resources to improve their server’s security in order to keep their customer’s information safe.

Virtue Theory is the idea that an organization can be more profitable if they focus on ethically-driven business strategies rather than profit-driven. According to Virtue Theory, VTech is ethically wrong as they had implemented a profit-driven business strategy that resulted in a lack of resources being devoted to the protection of the customer’s security.

VTech’s lack of security along with their poor post-breach actions were far from justified. The company failed to secure private information of customers which is unethical. Also, the company failed to improve their security systems after the incident, as they just modified the Terms and Conditions of their products, explaining that customer’s information may be intercepted by unauthorized parties.

I believe that VTech should take an ethically correct action plan that includes properly informing the customer of all the facts about the breach, including things they left out in the original reports. Also, the company would hire an information technology company to implement a new security system that can properly secure the customer’s private information. Next, the company should hire a group to monitor their servers on a more regular basis, in order to ensure that the security systems are working properly. Finally, the company should apologize for this incident and ensure their customers that it will never happen again. This action plan may be expensive, but it is ethically right, and will help the company improve moving forward.

References

Cnbc. "VTech Hack: Data of 6.4M Children Exposed." CNBC. CNBC, 02 Dec. 2015. Web. 03 Apr. 2017.

Salazar, Heather. The Business Ethics Case Manual: The Authoritative Step-by-Step Guide to

     Understanding and Improving the Ethics of Any Business. Print.

“FAQ about Cyber Attack on VTech Learning Lodge (last Updated: 11:30, December 16, 2016, HKT)." VTech. N.p., n.d. Web. 03 Apr. 2017.

Kelion, Leo. "Parents Urged to Boycott VTech Toys after Hack." BBC News. BBC, 10 Feb. 2016. Web. 03 Apr. 2017.

"VTech Hacker Explains Why He Hacked the Toy Company." Motherboard. N.p., n.d. Web. 03 Apr. 2017.

Reuters. "VTech Hack Leaves Millions Of Parents -- And Their Kids -- Exposed." The Huffington Post. TheHuffingtonPost.com, 30 Nov. 2015. Web. 03 Apr. 2017.