LEGO Australia has warned 1591 customers that payments for an online membership were sent unencrypted.
The bungle was due to “human error”, the company told affected customers earlier this month. Unencrypted traffic was at risk of interception.
The Sydney Morning Herald reported transactions made between March 27 and May 5 were at risk.
Of those affected, 409 people had only entered some personal details but not credit card data.
The company has informed the Federal Privacy Commissioner.