License article

LEGO security scare: 1591 customers potentially exposed

Show comments

LEGO Australia has posted letters to 1591 parents who recently attempted to sign their children up to LEGO Club magazine, informing them that their personal information - as well as their child's - was not secured correctly.

In a letter dated May 14, LEGO said it had become aware that an area of its Australian and New Zealand LEGO Club website was "not secure" when accepting membership details between March 27 and May 5 this year.

LEGO Club accepts payment of $19.95 for membership which includes access to Lego Club magazine.

The May 14 letter said information that "may have been vulnerable" during the period included names, addresses, date of birth (if supplied), and phone number (if supplied). The date of birth was that of the child's, while the name was both the parent's and child's.

In an interview Caroline Squire, LEGO's Australia and New Zealand director of marketing, said credit card information was also not secured correctly for the 1182 parents who signed their children up during the period its website wasn't secure. The 409 other parents who were also sent letters were those with incomplete registrations who did not enter their credit card but did enter their address.


Squire said the LEGO Club website lacked SSL encryption (the golden lock usually seen on banking and e-commerce websites) for the March 27 to May 5 period after an update to the website caused the SSL certificate to be incorrectly configured, meaning transactions during the period were not encrypted.

She attributed "human error" as the reason for the certificate not being configured properly and insisted that no member's personal information was available on the public internet for all to see. 

Security expert Peter Wesley of Hacklabs said a person with malicious intent would have needed to have been on the same computer network of one of the parents to steal their personal information when they were singing up to the LEGO Club website when it was not secured.

If the parent had signed up to the website on a free, unsecured wi-fi connection, for example, and a hacker was also logged on, then the hacker may have been able to snatch the parent's information.

Although the above scenario relies on a number of things falling into place (and is unlikely to have occurred for many), LEGO Australia said it had informed the Privacy Commissioner about the matter.

Privacy Commissioner Timothy Pilgrim said he was pleased LEGO proactively notified him about the matter. "I have asked LEGO Australia to keep me informed of how they respond to the breach and once I receive that report I will determine whether we need to take any further action," Pilgrim said.

Wesley of Hacklabs said it was good of LEGO to inform customers of the matter "rather than keeping it quiet".

Instead of using an online form to sign up to LEGO Club, LEGO Australia now requires customers to sign up using a form they must print out and send via snail mail to its headquarters while it investigates the security incident.