NY Yankees staffer accidentally e-mails customer list

A customer service representative with the New York Yankees accidentally e-mailed out personal details on close to 18,000 season ticket holders, the baseball team said Thursday.

According to a Yankees fan who received the spreadsheet, it was accidentally attached to a “Season Ticket Licensee Homestand Newsletter” sent Monday evening by a customer service representative.

The e-mail went out to several hundred season ticket holders, and contained names, addresses, phone numbers, fax numbers and e-mail addresses, along with the fans’ seat numbers and Yankees account numbers.

The list contained data belonging to 17,687 non-premium season ticket holders, according to recipients, who posted details of the incident on a Yankees discussion forum. Because some ticket holders have several blocks of tickets, the total number of entries in the spreadsheet was even higher: 21,467.

The message was recalled by the sales representative within minutes, one recipient said. But by then it was too late.

The spreadsheet didn’t have sensitive data such as Social Security numbers or credit card data, the Yankees said Wednesday in a press release, adding, “immediately upon learning of the accidental attachment of the internal spreadsheet, remedial measures were undertaken so as to assure that a similar incident could not happen again.”

On its own, the type of information is not considered to be particularly sensitive. But security experts worry that big e-mail lists like this could be used as a stepping stone by phishers to create targeted attacks that then trick victims into disclosing more valuable information or installing malicious software.

Hackers have repeatedly gone after this information in the past. In recent weeks both Epsilon and software vendor Ashampoo acknowledged that they’d been hacked and e-mail addresses and customer names were stolen. In Ashampoo’s case, the company’s customers were then sent fake order confirmation e-mails that looked like they came from PurelyGadgets, a U.K.-based online retailer. These files contained maliciously encoded pdf documents that could install malicious software on the victim’s computer if opened, according to Ashampoo.

In a breach that could affect tens of millions, Sony said this week that someone had hacked into its PlayStation and Qriocity networks and stolen some personal information, possibly including credit card data.

Because it includes the addresses of thousands of season ticket holders, the spreadsheet could also give thieves a pretty reliable list of people to burglarize during Yankees games.

On the NYYFans.com discussion forum, fans were split — some calling for the sales rep’s job, others for forgiveness. “It’s a big mistake, but it’s still a mistake,” wrote one poster, named TheYankee. “To call for a man’s job over this seems heartless.”

Kathleen Keough contributed to this story.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com