On February 27, 2017, news reports disclosed a major security breach involving Spiral Toys, the seller of the CloudPets brand of internet-connected stuffed animals. The Bluetooth-connected CloudPets toys allow users to exchange voice messages between the toys and applications on smartphones or tablets. An investigation by cybersecurity researcher Troy Hunt revealed that customer data for over 800,000 registered accounts, including over two million voice recordings, was stored in an unprotected database on the public internet. While the company has denied that any voice recordings were stolen, reports indicate that hackers accessed the open database and attempted to ransom the data.
The incident, the latest in a series of data breaches involving “smart toys,” has caught the attention of United States Senator Bill Nelson, the Ranking Member of the Senate Committee on Commerce, Science, and Transportation. Senator Nelson sent a letter dated March 7, 2017 to Spiral Toys’ CEO, Mark Meyers, seeking information about the company’s data security practices and expressing concern regarding a potential violation of the Children’s Online Privacy Protection Act.
Beyond the core concern of protecting information about children stored online, the CloudPets saga demonstrates several other lessons in protecting data security. First, while the exposed customer data did not include unprotected passwords, the company had no rules for password strength–making it easy for hackers to access thousands of accounts by guessing commonly-used passwords. Second, multiple people attempted to report the security vulnerability to Spiral Toys and its hosting provider in late December, yet the data remained exposed for two weeks until finally being secured on January 13th following the attacks and ransom efforts. Had the company put in place procedures to process and address reports of security lapses, the fallout from this incident could potentially have been contained.