A data leak in the booking site for Legoland in Bavaria has made customer data accessible to everyone for several years.
Data leak in the Legoland booking site.
This week, colleagues from heise.de uncovered a data leak on the booking page for Legoland in Günzberg, Bavaria. This vulnerability has made travellers’ customer data publicly visible on the internet for seven years.
Reader discovers data leak in online portal
The customer data could be accessed by anyone in PDF format. In addition to the planned travel period, the bookings also contained the name and address of the person making the booking and the names of those traveling with them. The data leak was noticed by a reader of heise.de. After booking at Legoland, he received a link for his booking confirmation as a PDF. He took a closer look at the associated URL and found that by adjusting a number in this link, the booking confirmations of other customers could also be called up.
Fraudsters could have read data
The PDF files created by Legoland had a sequential number that increased with each booking. Using a simple script, fraudsters could have read all PDF files and thus obtained countless postal addresses. After the Legoland operator Merlin Entertainments Group was informed about the data breach, the booking site went offline immediately. According to the company, the leak was reported to the Bavarian State Office for Data Protection Supervision.
Operator investigates data leak
Merlin Entertainments explained to heise.de that a “comprehensive investigation” had been carried out. The company has also taken “additional security measures”. Since no bank or credit card data was visible, the customers concerned were not informed about the data leak.
Heise points out that according to the GDPR there is an obligation to provide information if there is a “high risk” for the persons concerned. In this case, the operator of Legoland decides whether such a “high risk” exists. Regulators and courts could then decide whether Legoland should have informed users.