TWA began sending the weekly "Dot Com Deals" last night when a staff member noticed each bulletin listed hundreds of customers' individual email addresses. Typically, subscribers cannot see the addresses of other recipients.
By the time TWA programmers could resolve the problem late last night, the email addresses of 80 percent of TWA's subscribers had been disclosed, according to the company.
None of the people who received the TWA bulletin received a complete list of all other subscribers. Instead, most received a chunk of addresses close to their own in an alphabetical list. For example, a subscriber whose email address started with "jon" could have received dozens of email addresses beginning with the letters "jo."
TWA would not disclose the number of subscribers to its bulletin. But spokesman Mark Abels called the number "significant."
"It was obviously a mistake, and we're correcting it, and it won't happen again," Abels said from the company's headquarters in St. Louis. "We apologize. It's not appropriate, and it's not the way we normally do business."
Customers' credit card information, buying habits and physical addresses were not disclosed. But the breach could provide savvy marketers with coveted contact information for a potentially lucrative market: business and leisure travelers who are interested in last-minute travel deals and who may have a record of relying on the Net for big-ticket purchases, such as vacations.
Most major airlines rely on similar email bulletins to advertise discounts on last-minute tickets and travel packages.
TWA's mistake also could expose "Dot Com Deals" subscribers to spammers--people or organizations that send unsolicited bulk email, or spam.
"This should be a big concern to TWA and the subscribers," he said. "It's extremely valuable information. That's a very powerful list."
The accident comes at a time when many Net users are becoming increasingly alarmed at more serious security breaches that have plagued other companies.
RealNames, a company that substitutes complicated Web addresses with simple keywords, warned its users last month that its customer database had been hacked, exposing user credit card numbers and passwords.
Also in February, H&R Block's online tax filing service exposed some customers' sensitive financial records to other customers, prompting the company to temporarily shut down the system.
Although TWA's error is relatively harmless in comparison, the airline is taking pains to compensate. The company is emailing apologies to all subscribers and encouraging those who get bombarded with spam as a result to write to customer relations agents at firstname.lastname@example.org.