WEBVTT

00:00:00.000 --> 00:00:08.160
REPORTER: It’s Tuesday, December 15, 2015, and a suspect has been arrested in the VTech Kids’

00:00:08.160 --> 00:00:14.220
Toy Hacking case. UK police slapped the cuffs on a 21-year old man just a few hours ago as part

00:00:14.220 --> 00:00:19.740
of an ongoing investigation into the hacking. Estimates indicate almost 6.5 million kids’

00:00:19.740 --> 00:00:24.750
profiles and almost five million adult accounts were compromised in what might be described as

00:00:24.750 --> 00:00:30.000
the most unscrupulous hack to hit headlines in years. No credit card info was obtained

00:00:30.000 --> 00:00:35.100
but children’s names and addresses are said to have been accessed, which aside from being a

00:00:35.100 --> 00:00:40.350
black eye on VTech, is just straight up creepy. The suspect hasn’t yet been named but something

00:00:40.350 --> 00:00:46.230
tells us his next few days behind bars probably won’t be so enjoyable. Happy holidays, creep.

00:00:46.230 --> 00:00:48.050
[INTRO MUSIC]

00:00:48.050 --> 00:00:54.050
JACK (INTRO): This is Darknet Diaries, true stories from the dark side of the

00:00:54.050 --> 00:00:59.230
internet. I’m Jack Rhysider. [INTRO MUSIC ENDS]

00:00:59.230 --> 00:01:06.920
JACK: Kids today see their parents using tablets and phones and they want to play,

00:01:06.920 --> 00:01:10.640
too. [BACKGROUND MUSIC] Toy makers have tried to capitalize this by offering

00:01:10.640 --> 00:01:15.740
child-friendly tablets and smart watches. These kid-friendly devices are online and

00:01:15.740 --> 00:01:20.120
connected to the internet just like any other tablet. They have features that let the child

00:01:20.120 --> 00:01:24.350
send messages from their tablet to their parent’s phone. Not just chats, though.

00:01:24.350 --> 00:01:30.290
The kid can send pictures, videos, or voice recordings. VTech is one maker of these kind

00:01:30.290 --> 00:01:34.970
of kid-friendly devices. They make tablets and phone apps that are specifically designed for

00:01:34.970 --> 00:01:41.540
kids. When you buy a VTech tablet it asks you to register the device. They ask for the parent’s

00:01:41.540 --> 00:01:47.210
name and the physical address as well as the username and password. Then the toy tablet also

00:01:47.210 --> 00:01:53.300
asks for the child’s name, if they are a boy or a girl, and what their birthday is. It even

00:01:53.300 --> 00:01:59.180
suggests you take a picture of the child using the tablet to set up a profile. This registration

00:01:59.180 --> 00:02:04.160
allows the parent’s phone to connect to their kid’s tablets. The technology VTech created

00:02:04.160 --> 00:02:09.860
that connects a parent’s phone to a kid’s tablet is called Kid Connect. VTech also created its own

00:02:09.860 --> 00:02:13.760
app store called The Learning Lodge where you can use their tablet to download apps,

00:02:13.760 --> 00:02:21.500
games, and books. Take a guess at what happens when hackers get ahold of these toy tablets.

00:02:21.500 --> 00:02:27.440
They end up pushing the tablets to the limits. There’s a forum dedicated to hacking the VTech

00:02:27.440 --> 00:02:32.450
tablets. People have been able to do all sorts of things. One hacker took the thing

00:02:32.450 --> 00:02:37.220
apart and with a soldering iron, was able to get into the underlying operating system which

00:02:37.220 --> 00:02:42.680
is Linux. From there, the hackers were able to get root access to it. Then eventually,

00:02:42.680 --> 00:02:47.690
someone showed us they got the little toy tablet to play Doom, that old PC game from

00:02:47.690 --> 00:02:53.360
the 90s. The hardware hacker community is often heard saying if you can’t open it,

00:02:53.360 --> 00:02:59.090
you don’t own it. Just like it’s legal to do work on your own car, it’s also legal to

00:02:59.090 --> 00:03:04.340
modify the electronics you own. You may void the warranty but it’s not illegal to take it

00:03:04.340 --> 00:03:10.760
apart and do whatever you want to it. As this forum grew in popularity it eventually attracted

00:03:10.760 --> 00:03:17.210
a different kind of hacker. Instead of a hardware hacker, this guy was a network hacker. He browsed

00:03:17.210 --> 00:03:23.780
around and found the tablets talk frequently to a website called planetvtech.com. He took a

00:03:23.780 --> 00:03:27.620
look at that website and almost immediately found it was vulnerable to SQL injection.

00:03:27.620 --> 00:03:35.000
SQL injections are the number one risk websites face. It takes advantage of weak code and tries to

00:03:35.000 --> 00:03:40.880
exploit the underlying database. Network hackers like this are often already equipped with loads

00:03:40.880 --> 00:03:45.620
of scripts and programs that automatically execute attack. Out of sheer curiosity,

00:03:45.620 --> 00:03:52.700
with a few key strokes, this hacker ran a script against planetvtech.com which attempted to exploit

00:03:52.700 --> 00:04:01.310
SQL. To his surprise, it worked. He had shell access to the website. A few keystrokes later,

00:04:01.310 --> 00:04:09.200
he then had root access. He said to himself, quote, “Holy fuck. I have root. That was easy.

00:04:09.200 --> 00:04:18.260
What can I find?” End quote. He had full access to the planetvtech.com website. 100 percent control

00:04:18.260 --> 00:04:23.840
of it. Once the hacker was in the web server he took a look around. He saw numerous other

00:04:23.840 --> 00:04:29.960
servers on the VTech network, including a database server. He was able to hop into the database and

00:04:29.960 --> 00:04:34.910
when looking around there, he found the database was huge. The hacker grabbed a copy of everything

00:04:34.910 --> 00:04:40.430
in the database, downloaded the whole thing, then moved on to another database and grabbed

00:04:40.430 --> 00:04:45.080
a copy of everything there, too. The hacker then disconnected from the VTech servers. [MUSIC ENDS]

00:04:45.080 --> 00:04:52.160
He knew he had committed a crime and a wave of nervousness swept across him. This breach occurred

00:04:52.160 --> 00:05:01.670
around November 16, 2015. The hacker was equal parts disappointed and excited. He thought getting

00:05:01.670 --> 00:05:08.000
into the VTech network was way too easy. In a very short time he was able to take all the contents of

00:05:08.000 --> 00:05:12.710
their multiple databases. [MUSIC CONTINUES] With a copy of the VTech database on his own computer,

00:05:12.710 --> 00:05:18.950
he was able to slowly go through it and see what data he had. The first thing he noticed

00:05:18.950 --> 00:05:25.430
was a table called Parent. It had the following fields: First Name, Last Name, E-Mail Address,

00:05:25.430 --> 00:05:33.170
Encrypted Password, Secret Question, Secret Answer, Home Address, IP Address. As the

00:05:33.170 --> 00:05:38.420
hacker looked, he realized this is the entire user database for everyone who’s registered at

00:05:38.420 --> 00:05:44.450
the site. There were 4.8 million people listed in this table. He could not believe his eyes.

00:05:44.450 --> 00:05:53.180
A list of 4.8 million user accounts would be a hot item on the dark net. A list this large could

00:05:53.180 --> 00:06:01.460
bring in some decent Bitcoin but the hacker had no intention on selling the data. The hacker took

00:06:01.460 --> 00:06:06.140
another look at the database and found another interesting table called Member. It contained

00:06:06.140 --> 00:06:13.490
children’s names, birthdays, gender, and their parent’s ID. The hacker realized by combining

00:06:13.490 --> 00:06:18.050
the two tables he could positively identify what the last name of the child was and where

00:06:18.050 --> 00:06:25.580
they live. This table contained the information of 200,000 children. By looking at the birth dates,

00:06:25.580 --> 00:06:32.120
the average age of the child was five years old. Hacker turned his computer off and took a walk

00:06:32.120 --> 00:06:38.120
to think about what to do. He was much more angry than he was excited. He was angry that VTech was

00:06:38.120 --> 00:06:42.680
so careless with securing their site and with the personal information of so many children

00:06:42.680 --> 00:06:48.980
so easily obtained. It became clear to the hacker that he had to get VTech to admit that they have

00:06:48.980 --> 00:06:55.210
a security problem and to fix it. Having such lax security for personal children data was

00:06:55.210 --> 00:07:01.000
unacceptable to the hacker so he began thinking of ways to fix the problem. He could go in and

00:07:01.000 --> 00:07:05.770
fix it himself but that wouldn’t teach VTech how to keep it secure in the future. He thought about

00:07:05.770 --> 00:07:10.660
reaching out to VTech but he thought they’d never listen to him, or they’d try to fix it

00:07:10.660 --> 00:07:16.550
and deny it was ever a problem. The hacker took a few days to think about what to do.

00:07:16.550 --> 00:07:21.890
He decided to tell the media. This way the story will break worldwide and VTech would

00:07:21.890 --> 00:07:27.200
have to solve the problem fast. He decided to reach out to Lorenzo Franceschi-Bicchierai,

00:07:27.200 --> 00:07:32.450
a reporter for Vice’s Motherboard. Motherboard is a news outlet specifically covering stories

00:07:32.450 --> 00:07:38.690
related to computers and Lorenzo had been breaking a lot of really great stories about breaches. Many

00:07:38.690 --> 00:07:43.670
security reporters provide numerous ways for people to reach them anonymously, sometimes

00:07:43.670 --> 00:07:50.480
through signal or using PGP e-mails, encrypted chat, or other means. The hacker connected with

00:07:50.480 --> 00:07:56.720
Lorenzo securely and asked to remain anonymous. He gave Lorenzo the 4.8 million user records and

00:07:56.720 --> 00:08:02.570
the 200,000 children records and asked him to break the story. He clearly told Lorenzo that

00:08:02.570 --> 00:08:08.330
he was an ethical hacker and had no intention on using this data for anything malicious. The hacker

00:08:08.330 --> 00:08:13.310
told Lorenzo, quote, “Profiting from database dumps is not something I do, especially not if

00:08:13.310 --> 00:08:18.860
children are involved. I just want issues made aware and fixed. It was pretty easy to dump so

00:08:18.860 --> 00:08:22.970
someone with darker motives could easily get it. Frankly, it makes me sick that I was able to get

00:08:22.970 --> 00:08:27.260
all this stuff. VTech should have the book thrown at ‘em. They have shitty security.” End quote.

00:08:27.260 --> 00:08:34.820
Lorenzo now had the burden to figure out what to do. The first thing he tried to do is determine

00:08:34.820 --> 00:08:40.040
if the hacker is telling the truth and if this data is new and legit. The worst thing

00:08:40.040 --> 00:08:45.860
a reporter can do is falsely accuse someone of wrongdoing. That would be slander. That would

00:08:45.860 --> 00:08:52.550
ruin the reporter’s reputation, so Lorenzo send the dump to Troy Hunt to validate it. Troy is a

00:08:52.550 --> 00:08:58.970
security researcher most famously known for running the website haveibeenpwned.com. Troy

00:08:58.970 --> 00:09:04.370
obtains as many e-mail dumps as he can. These are giant lists of e-mail addresses that are seen in

00:09:04.370 --> 00:09:10.310
security breaches. He then turns his list into a public service to allow anyone to search his

00:09:10.310 --> 00:09:15.890
website to see if their e-mail address was part of a breach. At first you may think a site like

00:09:15.890 --> 00:09:21.800
that is a phishing scam, and some are, but Troy has proven himself to be ethical and

00:09:21.800 --> 00:09:28.340
legit. He and his website are trustworthy. He has over four billion e-mail addresses in his

00:09:28.340 --> 00:09:34.550
database which he gathered from all public breaches. Troy took a look at this new dump

00:09:34.550 --> 00:09:39.890
from Lorenzo. He found the password field wasn’t encrypted in the database like it said it was.

00:09:39.890 --> 00:09:46.490
Instead the passwords were stored using a basic unsalted MD5 hash. Without going into too much

00:09:46.490 --> 00:09:53.210
detail of what MD5 is, just know it’s bad security practice to store your passwords this way. Some

00:09:53.210 --> 00:09:58.580
MD5 hashes you can simply Google and find the password. There are super computers that can

00:09:58.580 --> 00:10:04.970
brute force an MD5 hash and crack it fairly quickly. Storing passwords as MD5 hashes is

00:10:04.970 --> 00:10:10.760
a severe lack of security. Troy was at first shocked by this. He then went to the website

00:10:10.760 --> 00:10:16.100
to see what it looked like. He immediately noticed the site doesn’t use HTTPS anywhere,

00:10:16.100 --> 00:10:25.340
not for authentication or the API, nothing. He also noticed the site was running ASP 2.0 which

00:10:25.340 --> 00:10:31.760
by that time had been unsupported by Microsoft for over four years. He also noticed some parts

00:10:31.760 --> 00:10:36.800
of the website were leaking more information than they should, returning errors with surprising

00:10:36.800 --> 00:10:42.650
results. A failed login message would actually show the SQL query used to log in. Troy was

00:10:42.650 --> 00:10:47.450
shocked by the details he could gather simply by using the site and not even trying to hack it.

00:10:47.450 --> 00:10:52.280
The dump passed the sniff test for Troy, but at almost five million user records,

00:10:52.280 --> 00:10:58.880
he wanted help to verify the contents were legit. Troy’s website Have I Been Pwned? was

00:10:58.880 --> 00:11:03.830
wildly successful and he offered an additional service; not only could you check your e-mail

00:11:03.830 --> 00:11:08.750
to see if it had been in a breach, but you could also give him your e-mail and he’ll notify you if

00:11:08.750 --> 00:11:15.320
it shows up in any future breaches. By this time Troy had almost 300,000 subscribers to this e-mail

00:11:15.320 --> 00:11:21.170
watch list. Troy looked through his subscribers and tried to find any that also showed up in the

00:11:21.170 --> 00:11:26.960
VTech user dump. He did, in fact, find many matching e-mail addresses so he reached out

00:11:26.960 --> 00:11:32.780
to those people. He asked if they had a VTech account and asked if the home address and ISP

00:11:32.780 --> 00:11:39.620
were accurate. This is what their responses were. “Yes, that’s accurate. I did register at VTech so

00:11:39.620 --> 00:11:45.230
I could download add-ons for a toy laptop.” “Yes, that is accurate. It’s an old address. I was at

00:11:45.230 --> 00:11:50.390
that ISP at that time so I can verify the info. I would have used the VTech website for my daughter

00:11:50.390 --> 00:11:56.330
around that time, too.” “Yes, I did access VTech Learning Lodge in 2014 after purchasing Cora Cub

00:11:56.330 --> 00:12:01.100
for my child. In order to personalize its voice-activated feature you had to join The

00:12:01.100 --> 00:12:06.230
Learning Lodge.” At this point, Troy was convinced the dump was legit and told Lorenzo what he found.

00:12:06.230 --> 00:12:13.490
JACK: By this time Lorenzo had already reached out to VTech multiple times. Over and over,

00:12:13.490 --> 00:12:18.560
Lorenzo was getting no response or being redirected to somewhere else. Eventually,

00:12:18.560 --> 00:12:25.430
days later, Lorenzo got the following response from a VTech spokesperson named Grace Ping. Quote,

00:12:25.430 --> 00:12:31.040
“On November 14, an unauthorized party accessed VTech customer data on our Learning Lodge app

00:12:31.040 --> 00:12:35.390
store customer database. We were not aware of this unauthorized access until

00:12:35.390 --> 00:12:40.310
you alerted us.” End quote. VTech claims they received the e-mail from Lorenzo,

00:12:40.310 --> 00:12:45.920
found evidence of the hack the next day, then three days later issued a press released and

00:12:45.920 --> 00:12:50.930
notified their customers through e-mail. Their initial press statement was vague and unclear

00:12:50.930 --> 00:12:56.240
as to what was taken and who was impacted. It also said the passwords were encrypted

00:12:56.240 --> 00:13:02.360
but technically MD5 hashing is not an encryption method. The date didn’t line up either because

00:13:02.360 --> 00:13:06.170
the data in the dump was time-stamped two days after they said the breach took place.

00:13:06.170 --> 00:13:13.310
But they did take down the following websites: planetvtech.com, vsmilelink.com,

00:13:13.310 --> 00:13:20.690
and sleepybearlullabytime.com. Taking these websites down must have been a big decision

00:13:20.690 --> 00:13:26.240
for VTech. Imagine the app store being down on your phone for over a month. No updates,

00:13:26.240 --> 00:13:32.480
no downloads, no sending messages between devices. Their toys lost major functionality

00:13:32.480 --> 00:13:38.000
during that time but the company did the right thing by shutting the servers down. If not,

00:13:38.000 --> 00:13:43.340
they would have attracted many other hackers and had a much bigger catastrophe on their hands.

00:13:43.340 --> 00:13:49.740
Once the vulnerable websites were offline and a press statement was issued, Lorenzo then published

00:13:49.740 --> 00:13:55.110
his article indicating VTech suffered a data breach. He published all the details of what

00:13:55.110 --> 00:14:00.840
the hacker had given him. Troy Hunt followed up with a scathing blog post of his own. The

00:14:00.840 --> 00:14:05.760
news spread quickly of VTech’s poor security controls. Parents around the world were outraged

00:14:05.760 --> 00:14:11.250
their children’s information was leaked. VTech is a company based in Hong Kong but they have a

00:14:11.250 --> 00:14:18.090
large market in the US, Spain, UK, Germany, and France. VTech’s stock began to tumble.

00:14:18.090 --> 00:14:25.560
Troy was also facing an ethical dilemma. His website haveibeenpwned.com allowed users to search

00:14:25.560 --> 00:14:30.510
e-mails that were seen in public data breaches. He added the 4.8 million e-mail addresses to his

00:14:30.510 --> 00:14:36.840
site but refused to make the children’s names searchable. The hacker who broke into VTech

00:14:36.840 --> 00:14:42.180
took another look at the data he grabbed. To his surprise he found even more data than he initially

00:14:42.180 --> 00:14:48.690
realized. There was a certain directory that had 190 gigabytes of data. As he looked through

00:14:48.690 --> 00:14:53.940
it he found it contained over 100,000 pictures that children took with their tablets, watches,

00:14:53.940 --> 00:15:01.020
or laptops. Many of these photos were duplicates, blurry, or just black so it was hard to guess as

00:15:01.020 --> 00:15:07.080
to how many actual photos there were. The hacker looked further through the files he took. He found

00:15:07.080 --> 00:15:11.700
there were chat logs which went back a whole year. Theses would be all chat messages that were sent

00:15:11.700 --> 00:15:17.040
between the child’s tablet and the parent’s phone. Looking at the data even further, the

00:15:17.040 --> 00:15:23.548
hacker found a directory full of audio files. He opened one and played it. This is what he heard.

00:15:23.548 --> 00:15:23.627
CHILD: I pledge allegiance to the flag of the United States America and to the

00:15:23.627 --> 00:15:33.973
Republic for which is stands, one nation under God and [inaudible].

00:15:33.973 --> 00:15:38.660
JACK: There were thousands of recordings like this. These are recordings of kids talking into

00:15:38.660 --> 00:15:47.930
their tablets. The hacker reached back out to Lorenzo and gave him the 190 gigabytes of photos,

00:15:47.930 --> 00:15:54.350
the years’ worth of chat logs, and numerous voice recordings. A few days later Lorenzo published a

00:15:54.350 --> 00:16:00.050
second article on Motherboard with these new findings. We are now able to see redacted

00:16:00.050 --> 00:16:06.380
pictures of children and hear their voices. This adds salt to VTech’s wounds. More parents are

00:16:06.380 --> 00:16:12.500
realizing their child’s personal information was not kept safe. The hacker told Lorenzo

00:16:12.500 --> 00:16:16.940
he was pleased with the way that news stories were spreading awareness of the problem. Quote,

00:16:16.940 --> 00:16:21.710
“It is as much coverage as I had hoped for.” End quote. The hacker went on

00:16:21.710 --> 00:16:25.910
to say he might move to a new target. Quote, “Maybe into VTech’s competitors,

00:16:25.910 --> 00:16:32.600
I don’t know.” End quote. On December 1, two weeks after the breach, VTech published

00:16:32.600 --> 00:16:39.110
an FAQ. It contained more information about the hack. VTech claims that not just 200,000

00:16:39.110 --> 00:16:44.420
children accounts were taken, but instead that number was 6.3 million children accounts.

00:16:44.420 --> 00:16:51.980
But VTech did not admit than any photos were taken. Then US Senators Edward Markey and Joe

00:16:51.980 --> 00:16:56.480
Barton sent VTech a letter pointing at The Children’s Online Privacy Protection Act,

00:16:56.480 --> 00:17:04.130
otherwise known as COPPA, an act established in 1998 to protect children online. Their letter

00:17:04.130 --> 00:17:09.560
also consisted of nine questions they wanted VTech to answer such as what information do

00:17:09.560 --> 00:17:14.240
you collect on children under twelve? What do you use that information for? Do you sell any

00:17:14.240 --> 00:17:20.270
of that to anyone? What encryption is used to secure the data? VTech didn’t immediately

00:17:20.270 --> 00:17:27.290
respond but they eventually updated their FAQ to answer some of these questions. A week after the

00:17:27.290 --> 00:17:31.490
breach VTech hired a security firm called FireEye to help with incident response.

00:17:31.490 --> 00:17:37.340
FireEye was able to find the security issues and resolve them. On January 25,

00:17:37.340 --> 00:17:42.320
two months after the servers were taken down, they were partially restored. Users could

00:17:42.320 --> 00:17:46.750
update and register their devices again but still could not use the app store.

00:17:46.750 --> 00:17:52.330
A month after the breach, a specialized crime unit in England caught and arrested a 21-year

00:17:52.330 --> 00:17:58.120
old man in a town west of London. He was arrested on a suspicion of unauthorized use of a computer

00:17:58.120 --> 00:18:04.840
outlining The Computer Misuse Act of 1990. The crime unit also seized multiple electronic items

00:18:04.840 --> 00:18:12.940
found. They also mentioned this may be related to VTech but the press release did not say the name

00:18:12.940 --> 00:18:18.430
of the man they arrested. Lorenzo attempted to reach out to the hacker but he never got

00:18:18.430 --> 00:18:26.710
a response. Two months after the breach, Lorenzo was attending an electronics trade show and found

00:18:26.710 --> 00:18:32.470
one of the booths was VTech. They were launching a brand new line of products. These weren’t for

00:18:32.470 --> 00:18:37.510
kids, though. They were selling smart light bulbs, door sensors, and security cameras.

00:18:37.510 --> 00:18:43.900
When Lorenzo asked the VTech marketing director if it’s secure, he said they are quote, “going

00:18:43.900 --> 00:18:49.150
through penetration tests by a third party and everything is going to be very secure.” End quote.

00:18:49.150 --> 00:18:54.490
The next month, VTech changed the terms of service on their website. It now read,

00:18:54.490 --> 00:18:59.920
in all capital letters, YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING

00:18:59.920 --> 00:19:05.290
YOUR USE OF THIS SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED

00:19:05.290 --> 00:19:11.500
PARTIES. It appears that VTech thinks they can relieve themselves of any misdoings by simply

00:19:11.500 --> 00:19:16.750
letting their customers know their data may be insecure and hacked at any time. A few lawyers

00:19:16.750 --> 00:19:22.720
commented on this and believe a clause like that won’t hold water in the US or UK, citing

00:19:22.720 --> 00:19:29.560
things like COPPA laws. Numerous politicians and state attorneys contacted VTech to discuss the

00:19:29.560 --> 00:19:35.680
COPPA laws in detail. VTech has updated their privacy policy to be more compliant with COPPA.

00:19:35.680 --> 00:19:40.570
For instance, they now state in their privacy policy that all pictures and voice messages

00:19:40.570 --> 00:19:53.050
are encrypted when stored. VTech’s stock was on a downtrend before the breach and after

00:19:53.050 --> 00:19:58.450
the breach the stock dropped by 13 percent. Within three months it was back above where it

00:19:58.450 --> 00:20:03.790
was before the breach. Their toys continue to be sold in major toy stores around the world.

00:20:03.790 --> 00:20:10.420
In the following weeks after the breach, several upset parents sued VTech North America. The suits

00:20:10.420 --> 00:20:15.730
were consolidated into a single, class action lawsuit. Plaintiffs included eight adults and

00:20:15.730 --> 00:20:21.700
fourteen children. A year and a half later, in July 2017, the case went before a judge.

00:20:21.700 --> 00:20:28.540
VTech asked the judge to dismiss the case, which the judge granted. He dismissed the case because

00:20:28.540 --> 00:20:33.250
the plaintiffs could not show how they were harmed. The judge could not find any proof

00:20:33.250 --> 00:20:40.000
that identity theft or any damage was done to the plaintiffs. The judge cited Lorenzo’s article,

00:20:40.000 --> 00:20:44.710
saying the breach was done by someone who did not have any intention to use the data

00:20:44.710 --> 00:20:45.506
in a malicious manner. There’s an update to this story. On January 8, 2018, the FTC did find VTech

00:20:45.506 --> 00:20:45.601
to have violated COPPA laws. VTech agreed to pay the $650,000 fine imposed by the FTC but they

00:20:45.601 --> 00:20:45.704
also issued a press release saying they haven’t violated any laws. They’re also required to revise

00:20:45.704 --> 00:20:49.810
their security program and conduct security audits for the next twenty years. [MUSIC] We

00:20:49.810 --> 00:20:54.250
have not seen the contents of this dump show up on any dark net site. This leads

00:20:54.250 --> 00:20:59.050
me to believe the hacker upheld his promise and not try to profit from the data he stole.

00:20:59.050 --> 00:21:07.030
The VTech FAQ had a question on it asking what happened to the hacker who was arrested. For over

00:21:07.030 --> 00:21:11.830
a year the FAQ simply referred people to the press release put out by the crime unit that

00:21:11.830 --> 00:21:16.960
arrested him. The press release had very little information. It didn’t even include his name.

00:21:16.960 --> 00:21:25.360
In December 2016, over a year after the breach occurred, VTech updated their FAQ with a different

00:21:25.360 --> 00:21:31.120
answer to this question. It said the man who was caught simply received a formal police caution

00:21:31.120 --> 00:21:39.490
in November 2016. If this is true it means he was detained for a full year before receiving a police

00:21:39.490 --> 00:21:45.460
caution. Police cautions are usually reserved for minor crimes to sometimes save on filling

00:21:45.460 --> 00:21:53.330
out full police reports, but still put the crime on the record. Perhaps FAQ has a typo on the year.

00:21:53.330 --> 00:22:00.290
Even now, two years later, it’s still unclear exactly what happened to the hacker. We don’t

00:22:00.290 --> 00:22:06.770
know if he was arrested or not. We don’t even know his name or his status. If he did only

00:22:06.770 --> 00:22:11.930
receive a police caution, then the story’s over. But he might still be sitting in jail

00:22:11.930 --> 00:22:17.510
somewhere. While the hacker did commit a crime, his intention was simply to be

00:22:17.510 --> 00:22:22.130
a whistle blower with his primary goal of improving the security of children’s

00:22:22.130 --> 00:22:32.390
data. [OUTRO MUSIC STARTS] You’ve been listening to Darknet Diaries. For show notes and links,

00:22:32.390 --> 00:22:47.030
check out darknetdiaries.com. Music is provided by Ian Alex Mac, Kevin MacLeod, and Chris Zabriskie.

00:22:47.030 --> 00:22:50.060
[OUTRO MUSIC ENDS]