JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

LEGO security scare: 1591 customers potentially exposed

LEGO Australia.

LEGO Australia.

LEGO Australia has posted letters to 1591 parents who recently attempted to sign their children up to LEGO Club magazine, informing them that their personal information - as well as their child's - was not secured correctly.

In a letter dated May 14, LEGO said it had become aware that an area of its Australian and New Zealand LEGO Club website was "not secure" when accepting membership details between March 27 and May 5 this year.

LEGO Club accepts payment of $19.95 for membership which includes access to Lego Club magazine.

The May 14 letter said information that "may have been vulnerable" during the period included names, addresses, date of birth (if supplied), and phone number (if supplied). The date of birth was that of the child's, while the name was both the parent's and child's.

In an interview Caroline Squire, LEGO's Australia and New Zealand director of marketing, said credit card information was also not secured correctly for the 1182 parents who signed their children up during the period its website wasn't secure. The 409 other parents who were also sent letters were those with incomplete registrations who did not enter their credit card but did enter their address.

Squire said the LEGO Club website lacked SSL encryption (the golden lock usually seen on banking and e-commerce websites) for the March 27 to May 5 period after an update to the website caused the SSL certificate to be incorrectly configured, meaning transactions during the period were not encrypted.

She attributed "human error" as the reason for the certificate not being configured properly and insisted that no member's personal information was available on the public internet for all to see. 

Security expert Peter Wesley of Hacklabs said a person with malicious intent would have needed to have been on the same computer network of one of the parents to steal their personal information when they were singing up to the LEGO Club website when it was not secured.

If the parent had signed up to the website on a free, unsecured wi-fi connection, for example, and a hacker was also logged on, then the hacker may have been able to snatch the parent's information.

Although the above scenario relies on a number of things falling into place (and is unlikely to have occurred for many), LEGO Australia said it had informed the Privacy Commissioner about the matter.

Privacy Commissioner Timothy Pilgrim said he was pleased LEGO proactively notified him about the matter. "I have asked LEGO Australia to keep me informed of how they respond to the breach and once I receive that report I will determine whether we need to take any further action," Pilgrim said.

Wesley of Hacklabs said it was good of LEGO to inform customers of the matter "rather than keeping it quiet".

Instead of using an online form to sign up to LEGO Club, LEGO Australia now requires customers to sign up using a form they must print out and send via snail mail to its headquarters while it investigates the security incident.

5 comments so far

  • Well that was a bit of an overreaction...
    I'm sure people who receive the letter are going to think "OH NO SOME HACKER HAS STOLEN MY PERSONAL INFORMATION!!"
    When all that has happened is that the information they sent wasn't encrypted on the way there. As noted in the article, the hacker would have to be on the same network at the same time and deliberately trying to intercept all the information the person was sending...
    In short: There's a very very small chance that a hacker may have obtained any information at all and there's nothing to worry about.

    Date and time
    May 25, 2012, 6:51PM
    • Hey Telstra, here is a good example of customer and PR management for you!!

      Date and time
      May 25, 2012, 8:04PM
      • Yes, because your intelligent (tech savy) paedophile spends years waiting for a security breach to identify the address and name of a five year old. The dumb ones just turn up at family BBQs or sit on the veranda watching passers by.

        Date and time
        May 25, 2012, 8:49PM
        • In good faith all registrations should receive FREE further membership for 10 years for this mistake (not error).

          Sans Souci
          Date and time
          May 26, 2012, 1:23PM
          • It's a risk caused by unintentional human error. However, $20 for a life time membership of the LEGO club and magazine subscription are still one of the BEST deal still available today.

            Date and time
            May 26, 2012, 3:03PM

            Make a comment

            You are logged in as [Logout]

            All information entered below may be published.

            Error: Please enter your screen name.

            Error: Your Screen Name must be less than 255 characters.

            Error: Your Location must be less than 255 characters.

            Error: Please enter your comment.

            Error: Your Message must be less than 300 words.

            Post to

            You need to have read and accepted the Conditions of Use.

            Thank you

            Your comment has been submitted for approval.

            Comments are moderated and are generally published if they are on-topic and not abusive.

            HuffPost Australia

            Follow Us

            Featured advertisers