A sex toy company has been ordered to pay a fine of £2.4 million, after shipping a “smart vibrator” that tracked customers’ usage without their knowledge.
The We-Vibe 4 Plus is a £90 vibrator that connects to a smartphone app via Bluetooth, allowing the user’s partner to operate the device remotely, from anywhere in the world.
This included minute-by-minute temperature changes on the device, dates and times of use, and vibration intensity, revealing intimate information about the user’s sexual habits.
The hackers warned that this information was being stored on Standard Innovation’s servers, along with personally-identifiable information such as email addresses.
At the time, Standard Innovation claimed that the data was collected solely for “diagnostic purposes”.
However, two women filed a lawsuit against Standard Innovation one month after the Def Con presentation, alleging that the company failed to “notify or warn” users of the data collection.
The suit, filed in an Illinois federal court, accused Standard Innovation of violating the Federal Wiretap Act, along with other privacy and consumer protection statutes.
Now the company has been ordered to pay a total of 4 million Canadian dollars (£2.4 million) in compensation – or C$10,000 per customer.
Those who used the vibrator’s associated app, We-Connect, are entitled to the full amount, while those who simply bought the vibrator can claim up to C$199.
As part of the settlement, Standard Innovation agreed to destroy the information it had already collected and to stop collecting such data in the future.
“At Standard Innovation we take customer privacy and data security seriously,” the company said in a statement.
“We have enhanced our privacy notice, increased app security, provided customers more choice in the data they share, and we continue to work with leading privacy and security experts to enhance the app.
“With this settlement, Standard Innovation can continue to focus on making new, innovative products for our customers.”
The news coincides with a report from the National Crime Agency (NCA) and National Cyber Security Centre (NCSC), which warns that internet-connected devices could be targeted by cyber criminals seeking to hold users to ransom over their personal data.
It highlights the huge amount of personal information on consumer gadgets which could be exploited by criminals seeking to commit extortion or fraud.
“This data may not be inherently valuable, and might not be sold on criminal forums but the device and data will be sufficiently valuable to the victim that they will be willing to pay for it,” the report states.
Commenting on We-Vibe case, Cesar Cerrudo, chief technology officer at IOActive, said it represents a larger problem within the so-called Internet of Things (IoT) industry.
“This is yet another example of IoT devices being rushed to market without proper consideration of privacy, and with rampant security vulnerabilities,” he said.
“We are connecting more and more of these devices to the internet and manufacturers are really not applying due diligence, which in the long run will be really costly.”