LEGO Australia recently sent letters to 1,591 parents whose children joined the LEGO Club Web site between March 27 and May 5, warning them that their personal information had not been secured.
Data that may have been exposed included members’ names, addresses, dates of birth and phone numbers.
“Please note that no fraudulent activity has been reported to us, and there is no evidence of suspicious activity using your information,” the letter states. “This is just to notify you, in case you discover your information being used by a party that is not the LEGO Club, so that you can take appropriate action and to prevent any future potential misuse of personal information.”
“In an interview Caroline Squire, LEGO’s Australia and New Zealand director of marketing, said credit card information was also not secured correctly for the 1,182 parents who signed their children up during the period its website wasn’t secure,” writes The Sydney Morning Herald’s Ben Grubb. “The 409 other parents who were also sent letters were those with incomplete registrations who did not enter their credit card but did enter their address. Squire said the LEGO Club website lacked SSL encryption (the golden lock usually seen on banking and e-commerce websites) for the March 27 to May 5 period after an update to the website caused the SSL certificate to be incorrectly configured, meaning transactions during the period were not encrypted.”
“The bungle was due to ‘human error,’ the company told affected customers earlier this month,” SC Magazine Australia reports. “Unencrypted traffic was at risk of interception.”
The company says it has notified the Office of the Australian Information Commissioner of the breach, and has “taken measures to ensure the security of the site for current member information and for future transactions.”