A U.S. senator is probing reports of a breach of data from smart toys from Spiral Toys, writing to the company’s CEO a letter with ten questions about the issue, including about the company’s security practices.
Bill Nelson, a Florida Democrat, wrote in a letter Tuesday to CEO Mark Meyers that the breach raises serious questions concerning how well the company protects the information it collects, particularly from children.
Nelson also said that the incident raises questions about the vendor’s compliance with the Children’s Online Privacy Protection Act that requires covered companies to have reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children.
The letter from Nelson was shared on Twitter by security researcher Troy Hunt, who exposed the breach in a blog post on Feb. 28.
The toys, sold under the CloudPets brand, allow parents and their children to send voice messages over the internet. Hunt found evidence that hackers had looted the unsecured MongoDB database that stored the toys’ customer login information. Although the passwords were hashed, there wasn’t a stiff requirement of password strength from the vendor, and the passwords could be potentially hacked and the voice recordings accessed.
Meyers has said that the breach came to his notice only on Feb 22, although another researcher, Victor Gevers, claims to have contacted the toy maker about the issue in late December. The company has claimed that no recordings were stolen. Nelson, who is a ranking member of the Senate’s Committee on Commerce, Science and Transportation, has asked Meyers to respond no later than March 23.