April 28, 2011, 7:01 PM — A customer service representative with the New York Yankees accidentally e-mailed out personal details on close to 18,000 season ticket holders, the baseball team said Thursday.
According to a Yankees fan who received the spreadsheet, it was accidentally attached to a "Season Ticket Licensee Homestand Newsletter" sent Monday evening by a customer service representative.
The e-mail went out to several hundred season ticket holders, and contained names, addresses, phone numbers, fax numbers and e-mail addresses, along with the fans' seat numbers and Yankees account numbers.
The list contained data belonging to 17,687 non-premium season ticket holders, according to recipients, who posted details of the incident on a Yankees discussion forum. Because some ticket holders have several blocks of tickets, the total number of entries in the spreadsheet was even higher: 21,467.
The message was recalled by the sales representative within minutes, one recipient said. But by then it was too late.
The spreadsheet didn't have sensitive data such as Social Security numbers or credit card data, the Yankees said Wednesday in a press release, adding, "immediately upon learning of the accidental attachment of the internal spreadsheet, remedial measures were undertaken so as to assure that a similar incident could not happen again."
On its own, the type of information is not considered to be particularly sensitive. But security experts worry that big e-mail lists like this could be used as a stepping stone by phishers to create targeted attacks that then trick victims into disclosing more valuable information or installing malicious software.
Hackers have repeatedly gone after this information in the past. In recent weeks both Epsilon and software vendor Ashampoo acknowledged that they'd been hacked and e-mail addresses and customer names were stolen. In Ashampoo's case, the company's customers were then sent fake order confirmation e-mails that looked like they came from PurelyGadgets, a U.K.-based online retailer. These files contained maliciously encoded pdf documents that could install malicious software on the victim's computer if opened, according to Ashampoo.