Accidental Emails from New York Yankees CSR Expose Customer Data

Bob Styran, IT audit expert
May 01, 2011 /

The New York Yankees bared that a customer service representative at the baseball team had inadvertently sent out emails containing customer data of about 18,000 ticket holders.

The poor data handling was very much like the case of Gwent Police in Wales, England that committed lapses when it inadvertently sent 10,000 Criminal Reference Bureau checks to a journalist through email. The email was said to have contained 863 sheets of personal data. The data breach was, however, able to escape penalties from the Information Commissioner’s Office.

The New York Yankees’s customer data sets were accidentally distributed in spreadsheets attached to a “Season Ticket Licensee Homestand Newsletter” according to Yankees fans who received the emails. The data breach took place April 25 evening.

Origin of the data breach could be traced down to the emails sent out by an account executive. The emails were part of a regular routine of sending informational newsletter to about 2,000 customers.

According to recipients, the customer data sets with the file name “STL Homestand Newsletter (042511)” were attached to the emails after a customer service representative bungled the process.

The customer service representative reportedly attempted to recall the message with a Microsoft Outlook command. However, this only works when both parties use the program.

The emails that were sent to hundreds of Yankees season ticket holders contained names, addresses, phone numbers, fax numbers, e-mail addresses, fans’ seat numbers, and Yankees account numbers.

The recipients unanimously claimed the customer data all belonged to 17,687 non-premium season ticket holders, but the number was a bit higher, an estimated 21,467 since some of the ticket holders purchased blocks of tickets.

Details of the data breach were posted on the discussion forum of the New York Yankees.

Nonetheless, the customer data contained in the emails did not include highly confidential information such as Social Security numbers or credit card data according to the New York Yankees in a press statement.

Chester Wisniewski, a Senior Security Advisor at Sophos Canada, offered three ways of preventing data loss.

First, he suggested encrypting the spreadsheet to prevent accidental disclosure.

Second is to “implement endpoint [data loss prevention] software to watch for the transfer of sensitive data to instant message, email and other communication tools.”

Finally, he suggested scanning “outgoing email messages for personally identifiable information to prevent accidental disclosure.”

The baseball team went on to say it had immediately undertaken “remedial measures” shortly after the data breach to prevent similar incident from happening again in the future.

Even though the information leaked was not as highly sensitive as a credit card data, security experts warned that the incident may give way for phishing attacks. Worse, phishers could lure more willing victims to reveal highly sensitive data or install malicious software.

Reports said the customer services representative still work for the New York Yankees.

 

1 Comment for “Accidental Emails from New York Yankees CSR Expose Customer Data”

  1. Looks to me like Chester Wisniewski comments are self serving and actually are conterary to DLP.
    If the Excel spreasheet is encrypted then the same data would still leave the Network but would leave securely. The receipient may still have access to such data. So actually, encrypted content should be blocked unless it was first scanned by the DLP system. Such scanning can be done at the Endpooint, as Chester Wisniewski suggested, or at the edge with a DLP sensor. There is no requirement to have it only at the endpoint.
    Uzi Yair
    GTB technologies, Inc.

Share your opinion