llnitrtl {orator gamut

COMMITTEE ON COMMERCE, SCIENCE,
AND TRANSPORTATION

   9  t. WASHINGTON, DC 20510?6125

 

  

March 7, 2017
Mark Meyers
Chairman and Chief Executive Of?cer
Spiral Toys
30077 Agoura Court, Suite 230
Agoura Hills, CA 91301

Dear Mr. Meyers:

In light of the recent breach of a Spiral Toys? database containing information
about hundreds of thousands of users collected from its internet-connected CloudPets
toys, I write to you with questions regarding the overall data privacy and security
practices of Spiral Toys.

According to a report from a security researcher, hackers appear to have accessed
and exposed Spiral Toy?s database that contained more than 800,000 email addresses and
hashed passwords.1 Not only was the information accessed, but records also reportedly
show that the data was ransomed by the hackers on multiple occasions. Because Spiral
Toys created no requirements for password strength, the hackers could have easily
cracked many passwords by simply checking the data against common passwords. This
information could then be used to access and download the private voice recordings of
children and parents.2

The 2015 VTech breach that exposed the personal information of more than six
million children globally should have served as a wakeup call for toymakers who were
not adequately protecting the consumer information they collect.3 I also released a report
last year that raised concerns over the privacy risks associated with internet-connected
toys and called on toymakers to invest in technology that ensures they are always a step
ahead of increasingly sophisticated hackers.4

 

1 Data from Connected CloudPets Teddy Bears Leaked and Ransomed, Exposing Kids? Voice Messages, Troy Hunt
(Feb. 28, 2017the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids, Motherboard (Nov. 27, 2015).

4 Senate Committee on Commerce, Science, and Transportation, Children ?3 Connected Toys: Data Security and
Privacy Concerns, 114th Congress (Dec. 14, 2016).

Mark Meyers
March 7, 2017
Page 2

The breach of Spiral Toys raises serious questions concerning how well your
company protects the information it collects, especially information collected from
children. Additionally, the incident raises questions about Spiral Toys? compliance with
the Children?s Online Privacy Protection Act (COPPA), a law that, among other things,
requires covered companies to ?establish and maintain reasonable procedures to protect
the con?dsentiality, security, and integrity of personal information collected from
children.?

As Ranking Member of the U.S. Senate Committee on Commerce, Science, and
Transportation, I request that you respond to the following inquiries:

1. Provide a summary of the data breach, including, but not limited to:

When the breach occurred;

When and how Spiral Toys ?rst learned of the breach;

What consumer information was compromised in the breach;

What consumer information was potentially accessible to the hackers 

the universe of data stored in the database accessed by the hackers);

e. How many Spiral Toys consumers were affected, including the number of
affected children;

f. Whether and how Spiral Toys has noti?ed affected consumers (if so, please
provide a copy of the notice);

g. Whether Spiral Toys currently offers, or plans to offer, a free identity theft
protection service for impacted consumers;

h. What security measures Spiral Toys had in place at the time of "breach to
protect against the risk of unauthorized access to its data;

i. Whether, prior to the breach, Spiral Toys had a chief information officer
(CIO), a chief technology officer (CTO), or an employee with
responsibilities similar to those of a C10 or 

j. Whether, prior to the breach, Spiral Toys provided notice to consumers of
its data collection, use, and sharing practices, such as a privacy policy and
terms of use (if so, please describe how you provided notice and copies of
each notice); and

k. Whether, prior to the breach, Spiral Toys had policies in place that offered

consumers the ability to control data collection, such as the ability to

access, correct, and/or delete collected information.



 

516 CPR ?312.8.

 

Mark Meyers
March 7, 2017

Page 3

2.

Does COPPA apply to Spiral Toys? products and/or services? If so, list the
products and services to which COPPA applies.

For each Spiral Toys product or service that is intended for use by children,
identify and provide a description of the consumer information your company
collects.

Provide a description of how this information is collected and how it is used. If
this information is combined with data collected from other sources, describe the
additional data and identify the sources.

. Does Spiral Toys share or sell any of the collected information with or to third

parties? If so, please identify and provide a description of these third parties, the
information that is shared, how that information is used, and how you notify
parents that collected information may be shared or sold with or to third parties.

Provide a detailed description of all security procedures that Spiral Toys currently
has in place to protect collected consumer information, including a detailed
description of how the information is stored and for how long Spiral Toys retains
the information. 

. Describe the measures Spiral Toys currently has in place to protect against the risk

of unauthorized access to its data. In addition, does your company have in place
consumer noti?cation procedures to be used in the event of a breach?

. During the previous two years, has Spiral Toys suffered any other data breaches

impacting consumer data? If so, please provide a detailed description, including
what information was compromised, the number of impacted consumers, whether
consumer noti?cation of the breach was provided and, if so, a copy of the
noti?cation, and whether any free identity theft protection was offered to
consumers.

Does Spiral Toys provide notice to consumers of its data collection, use, and
sharing practices privacy policy and terms of use)? If so, please describe
how you provide notice and copies of each notice. 

 

Mark Meyers
March 7, 2017
Page 4

10. Can consumers access, correct, and delete the information your company collects
about them? If not, Why not? If so, please provide a description of the process
through which a consumer can access, correct, and delete the information and how
your company makes consumers aware of these choices.

Please provide this information as soon as possible but by no later than March 23,

2017. Thank you in advance for your assistance with this matter.

Sincerely, 

BILL NELSON

Ranking Member

cc: The Honorable John Thune, Chairman