An educational toy manufacturer from China has settled with the FTC to pay $650,000 in fines over an older data breach that exposed data illegally collected from approximately 5 million parents and Children, the FTC announced. The FTC discovered the illegal data collection in 2015 while investigating a cyberattack detected by a journalist.

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen. “Unfortunately, Vtech fell short in both of these areas.”

Not only did VTech not ensure data “confidentiality, security and integrity” by encrypting it, but it also broke US Children’s Online Privacy Protection Act by collecting personal information from children under 13 and their parents, without the parents’ verifiable consent and without informing children about it.

In response to the FTC, VTech “does not admit any violations of law or liability.”

Through Kid Connect, available for download on the Learning Lodge Navigator online platform, and gaming and chat platform Planet VTech, the manufacturer collected parents’ personal information, such as names, email addresses, passwords, IPs, download history, kids’ names, dates of birth and gender, among others. The Kid Connect app is used with most of its toys.

In the 2015 data breach, a hacker infiltrated the company network and gained access to the personal information of some 2.25 million parents and 3 million children. The hacker also had access to photos and audio files uploaded by parents and their children on the platform.

“We are pleased to settle this two-year-old investigation by the FTC,” said Allan Wong, Chairman and Group CEO of VTech Holdings Limited. “Following the cyberattack incident, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers’ data. We also took steps to address the technical notice and consent issues under COPPA.”

VTech is the largest manufacturer of cordless phones, and its products are meant for children from infancy to preschool. Despite the issue with the FTC, the company’s Kidizoom Smartwatch, designed for ages 4 and up, received last week the 2018 KAPi (Kids at Play Interactive) Award for innovation and design excellence.