Telstra said it reset the passwords of up to 230,000 customers of its GameArena and Games Shop services after the sites, which are operated by a third party, were hacked.
The company said that it believes only 35,000 members were directly affected by the breach, which resulted in the compromise of user names, email addresses, and encrypted passwords. But as a “precaution”, Telstra reset the passwords for 230,000 customers who access the sites using a non-BigPond (Telstra’s broadband service) email address. Telstra stressed that no financial or credit card information was stored on the sites.
The Office of the Australian Privacy Commissioner (OAIC) said it was opening an investigation into the Telstra breach given the substantial number of customers affected.
This is the third data breach for Telstra in the last six months. In December, Telstra admitted that account details, passwords, user names, and email addresses of 800,000 customers were exposed on the internet. This was followed by an admission that 1,500 BigPond ISP customers had their names and emails posted online.
In a separate breach incident reported to the OAIC this week, LEGO Australia, the Australian subsidiary of the Danish toy building blocks maker, said that credit card information from close to 1,600 parents was collected by an insecure website in Australia and New Zealand.
In a letter to affected customers, LEGO Australia said that it became aware that an area of its LEGO Club website was not secure when it accepted applications for membership between March 27 and May 5 of this year.
The information that was collected included names, addresses, dates of birth, and phone numbers of parents and children, according to the letter. LEGO Australia said it notified the OAIC of the breach.
While not indicated in the letter, the insecure website also took credit card information from 1,182 parents who signed their children up for club membership, Caroline Squire, LEGO’s Australia and New Zealand director of marketing, told the Sydney Morning Herald.
An update to the website in March caused the SSL certificate to be incorrectly configured, which resulted in the transactions not being encrypted, Squire explained.