Hacker flattens Legoland

Plastic brick theme park Legoland has had its UK website defaced by a hacker who took advantage of an inadequately secured SQL server.

The front page of the Legoland.co.uk site was replaced on Friday with a message from the hacker and a picture of a spacecraft made from Lego. The site was down on Monday morning, but was restored by midday.

The hacker, called Herbless, used the same method to hack several UK government websites last month. Experts said administrator error rather than a weakness in SQL server was to blame for leaving the websites open to attack.

Herbless used the attack to post a rant supporting DVD cracking software. The DeCSS software allows the decryption of DVDs. Several major Hollywood film studios last month won their fight to prevent the publishing of the software by the 2600 hacker magazine and website.

When SQL server is set up there is a simple default password for the SQL administrator. Unless the system is being used on a trusted network, which the company owns entirely, Microsoft recommends this password be changed. In an unchanged configuration hacks can take place.

Matt Tomlinson, business development at security consultancy MIS, said: "The majority of internet-facing servers running SQL server will be protected by port filtering and firewalls, exposing access to only HTTP ports. The wider implications are for those organisations that do not protect internal servers from internal users.

"Any organisation with any resemblance of an IT security policy will have changed the default (blank) password and put other protection methods in place."

In a statement, Legoland confirmed that its website had been compromised. It said sensitive booking information including credit card details is hosted on a separate secure server with an established internet bank and this information was not compromised.

Legoland said the security weakness on its site had been reviewed and measures taken to ensure that this type of attack could not be repeated.