Yankees' error leaks personal data on 21,000 fans

Unlike other recent data leaks that involved hacking, this one at the Major League Baseball team was due to human error.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

A sales rep for the New York Yankees accidentally e-mailed a spreadsheet containing names, addresses, phone numbers, e-mail addresses, and seat numbers of more than 21,000 season ticket holders to thousands of clients, according to blog site Deadspin.

"There are no credit card numbers, but there are account ID numbers. And on Yankees.com, licensees need only their account ID number and password to access their accounts," the report said yesterday. "With the spreadsheet, we have all the account IDs and can probably guess more than a few passwords via spouse's names, street names, and good old 'abc123.' At the very least, the list email addresses are valuable to spammers."

Later, the Yankees sent an e-mail to season ticket subscribers confirming that a rep had inadvertently included an attachment with ticket holder information to an e-mail that was sent on Monday.

"Please note, immediately upon learning of the accidental attachment of the internal spreadsheet, remedial measures were undertaken so as to assure that a similar incident could not happen again," the e-mail said. "The Yankees deeply regret this incident, and any inconvenience that it might cause."

The mistake puts affected fans at risk of phishing attacks and people should be wary of e-mails or phone calls from people claiming to be affiliated with the Yankees and asking for sensitive information.

The data leak contrasts with other recent breaches that are attributed to hacking attacks or unauthorized access. Sony warned this week of a serious breach on the Sony PlayStation Network that puts data of as many as 77 million customers at risk and potentially includes credit card numbers. Earlier this month, dozens of big name financial companies and retailers were forced to warn customers earlier about the potential for phishing attacks after a breach at e-mail marketing provider Epsilon. And DSLReports.com also had e-mail addresses stolen in an attack on its site this week.