As of this morning, I’ve been following the story about uKnowKids’ publicly-exposed user database, which included private information on roughly 1,700 kids. It got me to thinking about the VTech breach in 2015, and I was curious as to what has happened since then. Remember the VTech breach in the Fall of 2015? If not, here’s a quick refresher:

• The children’s toy maker stored personal information, such as ages, photos, addresses, and such, of millions of children and their parents in a database vulnerable to a SQL injection attack;
• The database was popped because, well, a SQL injection vulnerability is on par with using “password” as your password. (I’m struggling for the right analogy here, because it’s just so stupid. Ah! Let’s try this: Imagine somebody leaves a large wooden horse in the street in front of your house. You assume it’s a gift, so you wheel it into your yard. That night a cadre of soldiers jumps out of the horse and slaughters you and your family. Didn’t see that coming!);
• Around 4.8 million records were exposed, and the hacker that gained access notified a reporter at Motherboard to explain his reasons for doing so;
• VTech acknowledged the breach and assured its customers that no credit card data was compromised, nor was any personally identifiable information (like driver’s license data) stored in that database. (I guess your kid’s age, photo, address, etc., cannot be used to identify him or her…);
• The suspected hacker, who made no effort to profit from the breach or share the data, and who wrote that he wanted VTech to fix their problems, was arrested in December 2015.

What really fried me – beyond the gaping holes in their antiquated systems, and VTech’s assurances about credit card data while kids’ data was exposed – was that just this month they’ve implemented measures to further protect… wait for it… themselves with new terms of service. Why new terms of service and not, say, fix their security issues to protect customers and their kids? Because screw your kid’s privacy and your little dog, too!

Companies such as VTech and uKnowKids have been entrusted with keeping, not just their customers’ data, but their customers’ kids’ data, secure. I’m not sympathetic to these companies’ complaints about loss of intellectual property (IP) by these researchers when there is no evidence that that IP has been shared. If you’re responsible for protecting kids’ privacy, that responsibility is your top priority. Full stop. If you can’t handle that responsibly, you shouldn’t be in business, in the first place.