14 DAY TRIAL // The personal details of 1,591 parents who have tried to sign up their children to the LEGO Club magazine may have been exposed after the company failed to secure part of the website.
According to The Sidney Morning Herald, LEGO has sent out letters to all the potential victims, informing them that in the timeframe between March 27 and May 5 data such as names, addresses, child birth dates and phone numbers may have been accessed by third parties.
The worrying fact is that the majority of the individuals, 1,182 to be more precise, also provided credit card details in the same, unsecured, section of the website.
The incident is the result of a website update that prevented the SSL certificate from functioning properly, leaving all the transmitted data in clear text. This means that during the time in which the SSL encryption was missing, anyone with the technical know-how and ill intent could have intercepted the information submitted by the customers.
LEGO representatives blame the unfortunate event on “human error” and highlight the fact that unlike other similar situations, the private information hasn’t been posted online for anyone to access.
In a real-life scenario, the attacker would need access to the network from which the data is submitted in order to be able to intercept anything. For instance, if the parent accessed the website from an insecure Wi-Fi connection that was being monitored by a cybercriminal.
The chances for misuse in this particular case are slim, but it’s worth noting that LEGO handled the incident well, unlike other companies that tried to hide similar breaches.
Australia’s Privacy Commissioner has been notified and the incident is currently being investigated. Until the issue is completely addressed, customers are required to send the registration forms via email.