http://sports.yahoo.com/mlb/blog/big_league_stew/post/E-mail-fail-Yanks-leak-personal-information-of-?urn=mlb-wp4657E-mail fail: Yanks leak personal info of 20,000 ticket holders
By Rob Iracane
Thousands of current season ticket holders for the New York Yankees got a surprise in their inbox on Monday, giving them an unexpected glimpse into the lives of their fellow fans.
Yes, someone in the Yankees front office unwittingly unleashed a spreadsheet containing the names, account numbers, mailing addresses, phone numbers, and email addresses of every single current non-premium season ticket holder
— 21,466 names in all — to a select list of recipients. The spreadsheet was an attachment to an email and has since spread all over the web.
That means if you subscribe to any sort of ticket plan with the Yankees and you don't sit inside the premium moat, your personal information has now been divulged to the world.
Change your passwords now, folks.
So how did this avalanche of private numbers and addresses begin? Barry Petchesky at Deadspin has the scoop (as did Ross at NYY Stadium Insider), and there's at least one person in the Yankees front office feeling like he or she pulled a Costanza:
The release of the spreadsheet can be traced to a simple mistake by a hapless Yankees season ticket rep, one wrong click revealing the team's records to all of his contacts. Monday morning, an account executive sent an email to nearly 2,000 clients, a regular informational newsletter that they receive periodically. According to several fans who received the email, a file labeled "STL Homestand Newsletter (042511)" was attached that contained the information on all non-premium ticket holders — not just the rep's own licensees.
In a move reminiscent of the Bridgestone "Reply All" commercial that aired during the Super Bowl, the hapless rep attempted to "recall" the errant email using a feature in Microsoft Outlook. Unfortunately, it didn't work.
The Yankees have since issued a letter to all their season ticket licensees, regardless of whether they were affected by this slip-up, finishing with this paragraph:
Please note, immediately upon learning of the accidental attachment of the internal spreadsheet, remedial measures were undertaken so as to assure that a similar incident could not happen again.
Full disclosure: I'm a direct beneficiary of Yankees tickets because my father has subscribed for the entire season package since 2000. I spoke with him on the phone Wednesday night and while he's not ready to pen a nasty letter to the Steinbrenners, he's disappointed that the Yankees did not more closely guard their clients' most personal of information.
So while the Yankees have apologized for the breach and promise that it won't happen again, people like my father must scramble to change their passwords for season ticket holder web access and worry about unwanted solicitations from strangers and businesses.
If someone were to figure out his password through brute force, they could potentially log in to his account and actually steal his tickets. How? Well, the Yankees website is tied to Ticketmaster and they give you the option of printing tickets on their account management page, or even emailing them to a friend. Convenient, yes, but in this case it makes it wildly easy to steal hundreds of tickets.
So what can the Yankees do to make things right?
First and foremost, they must produce a sacrificial lamb for the error and fire somebody. Who better than the ticket representative who was responsible? Sorry, pal, but even if it was an innocent mistake, it's exploded into something big enough to warrant dismissal.
The team needs to hire a new (or better) IT consultant, too, someone who can introduce safeguards on sensitive documents that would prevent them from getting disseminated as if they were mere press releases. To protect their clients like they protect late-inning leads, the Yankees essentially need the Mariano Rivera(notes) of IT guys, not the Rafael Soriano(notes).
Also, to prevent unauthorized users from logging on to the Yankees website and noodling around with ticket holders' info, the team should either issue new account numbers or provide a second level of security. Or perhaps a round of obscure Yankees trivia would do the case. After all, we all know that only real Yankees season ticket holders would know who holds the team record for most career triples.* Right?
*Lou Gehrig, 163
It's kind of odd, though, that Deadspin was the one to break this news. The sports blog is part of the Gawker media network that had its commenters' accounts and passwords compromised last year by a hacker. Folks, get out there and make sure your entire online life is safe and secure.
And if you work in a ticket department for a massively popular sports team, watch what you attach to your outgoing emails.
[colour, bolding and italics in original]