It's not all fun and games for LEGO right now: The Australian branch of the toy building company has informed nearly 1,600 people that their personal information, including credit card numbers, may have been compromised due to a website vulnerability.
LEGO Australia notified 1,591 parents who tried to sign up their children to the LEGO Club that the website "was not secure when accepting membership details" between March 27 and May 5, the Sydney Morning Herald reported. As a result, the parents' names, addresses, birth dates and phone numbers may have been exposed.
LEGO Club memberships, which cost $19.95, include a subscription to LEGO Club magazine and invitations to competitions.
"Please note that no fraudulent activity has been reported to us, and there is no evidence of suspicious activity using your information," LEGO Club's consumer service manager, Natalie Curr, said in a May 14 advisory. The toy company recommended those who received the notification monitor their bank accounts and report any unauthorized transactions.
In an interview with the Morning Herald, LEGO's Australia and New Zealand director of marketing, Caroline Squire, said credit card information for 1,182 parents also was improperly secured between March 27 and May 5 and may have been accessed. Squire said the LEGO Club website was not secured with secure sockets layer (SSL) encryption, meaning financial transactions were not fully protected.
LEGO Australia said it has fixed the problem, which it attributed to human error. Unlike in other data breaches, Squire said no LEGO Club member's personal information was posted on the public Internet for everyone to view. While it investigates the incident, LEGO Australia now requires customers to sign up by printing and mailing a form to the company's local headquarters.