Data breaches can occur in the most surprising places. When data breaches affect sensitive, private information—especially those of children—companies can face scrutiny from regulatory agencies and be exposed to civil (and perhaps even criminal) liability.  While hackers are still targeting retail corporations and financial institutions, some hackers have moved onto an unexpected new area: children’s toys.

Spiral Toys Inc. sells stuffed animals called “CloudPets.” These 21st century stuffed animals are connected to the internet, allowing parents, their children, and anyone with access to the stuffed animals to record and send voice messages to each other.  Users simply download the “CloudPets” phone app (the Android app has been downloaded over 100,000 times already), and create an account by registering their emails and other personal information with the CloudPets app.  Unfortunately, the combination of a vulnerable security network and the sensitive nature of the private information held on the CloudPets’ server made it an attractive target for hackers.

In February 2017, cybersecurity experts discovered that the account information of more than 800,000 CloudPets could be easily accessible by anyone browsing the internet, without the need for a password. Even more disturbing, as reported by, nearly 2.2 million voice recordings were also stored online in an unsecure manner.  This includes potentially millions of voice recordings of children.  According to the cybersecurity experts, hackers appeared to have wiped the user database and held its contents for ransom from the company.

Unfortunately, CloudPets’ security flaws do not appear to be an isolated event. While retailers and banks have beefed up their cybersecurity in recent years after a number of high-profile breaches, toy manufacturers appear to be lagging behind.  In prior years, cybersecurity experts raised similar concerns with an internet-connected Barbie doll.  Likewise, cybersecurity concerns have been raised with other connected devices that contain private information, such as the fitness tracking devices like Fitbit.

Data breaches result in serious legal and public relations consequences, including a duty to disclose breaches to the public, regulatory fines, and potential class action lawsuits. Civil actions premised on torts law, i.e., invasion of privacy, are also colorable causes of action against breach involving sensitive private information.

Finally, data breaches can also result in severe financial consequences for the companies involved. For CloudPets, its security breach has directly or indirectly caused their stock price to drop to 1 cent.  Moving forward, manufacturers of “connected” 21st century toys and gadgets should study cybersecurity best practices and cyber-threat trends to stay ahead of the pack and reduce their likelihood of becoming targets for opportunistic hackers.