A spreadsheet containing New York Yankees season ticket holders’ information was emailed to nearly 2,000 people. The spreadsheet contained information on 21,446 ticket holders. When dealing with emails that hold quite a bit of data, it’s always advisable that one look into data encryption like AlertBoot.
VIPs Not Affected
The NYY revealed in a public statement that credit cards, dates of birth, and SSNs were not breached. The spreadsheet contained names, addresses, phone and fax numbers, email addresses, and Yankee account numbers. Also, Yankees rep names and ticket package codes were breached as well, although these would be corporate data, not personal data.
Deadspin.com has noted that the information only affects “non-premium” seats (the spreadsheet excluded luxury suites and the first rows). The breach was accidentally instigated by an employee who tried to recall the email. As people familiar with Outlook know, it only works when both the sender and the receiver are using the same system.
If some kind of data loss prevention (DLP) software had been set up, or if potentially the spreadsheet had been saved in encrypted format, this breach wouldn’t have occurred.
Such Data is Pretty Valuable
Overall, it doesn’t sound like this is a calamitous breach. On the other hand, it depends on how you define calamitous. The lack of financial account information and SSNs means that the breach won’t hit anyone’s pocketbooks (unless some kind of spam/phishing campaign is carried out succesffuly).
You’ve got to admit, though, that the information would be somewhat of a boon to telemarketers: they know people’s names, where they live, have a way of contacting them, and know that the love for the Yankees is what sets them apart from other people.
But, the information that can be gleaned goes further than this. I don’t follow the Yankees, or even baseball for that matter, but apparently the Yankees’ management keep their ticket sales figures close to the vest. Deadspin.com notes:
These numbers are fascinating in light of the Yankees’ repeated refusal to comment on their ticket sales, at a time when the stadium is obviously not full every night. The contents of the files are ripe for analysis. Members of the NYYfans.com message board are already deciphering the data, and one person made an attempt at crunching some of the raw numbers.
Apparently, the non-premium season ticket revenue is (remember now, this figure is very rough…and possibly waaaaaay off the mark) $131,978,910.
Of course, it doesn’t have to be off the mark. Someone who works in the industry, or is familiar with it, may be able to use the information and their background knowledge to make a more precise guesstimate. That the Yankee group won’t reveal such figures implies that the data could be of use to someone.
What can I say? Encryption software works, and hindsight shows that the file ought to have been cryptographically protected. Mistakes will happen, so policies that ask employees to check carefully before sending e-mails don’t always work (as in this case. The employee must have immediately realized what happened). A better data security policy may be to always encrypt files if they contain sensitive data and will be placed in an e-mail.
On the other hand, that too suffers from the fact that an employee has to encrypt it. The answer might be a DLP that will automatically pick up on particular types of information, and either stops it from being sent or encrypts it on the fly.
Related Articles and Sites: