Yankees Accidentally Leak Personal Info Of 20,000 Season Ticket Holders

The New York Yankees accidentally distributed a file containing information on more than 20,000 season ticket accounts. The spreadsheet contains account numbers, names, addresses, phone numbers, and email addresses, and was mistakenly sent to thousands of current clients.

Precisely 21,466 season ticket plans are listed in the document, representing all of the "non-premium" seats that make up the vast majority of Yankee Stadium, excluding only the suites and the first few rows in the infield. So the high rollers and celebrities aren't in here. Instead it's regular folks like Mike Janos of Tarrytown, N.Y., who has seats 19 through 24 in row 18 of section 211, or small businesses like All American Laundry in the Bronx, which opted for the 15-game "Friday" plan.

The release of the spreadsheet can be traced to a simple mistake by a hapless Yankees season ticket rep, one wrong click revealing the team's records to all of his contacts. Monday morning, an account executive sent an email to nearly 2,000 clients, a regular informational newsletter that they receive periodically. According to several fans who received the email, a file labeled "STL Homestand Newsletter (042511)" was attached that contained the information on all non-premium ticket holders — not just the rep's own licensees.

Within minutes, he attempted to "recall" the message using a Microsoft Outlook command, but this only works if both parties use the same system. Thousands received the file. (UPDATE: As of Wednesday evening, just as the Yankees first acknowledged the breach, that ticket rep was still at work for the team.)

We called multiple season ticket holders at random, based on their entries in the file. First we tried their work numbers, then their cell phones, and finally their email addresses. None had heard a single thing from the Yankees about their information being leaked. (The Yankees haven't returned our call.)

"That's news to me," said Peter Piroso of Brooklyn. "I'm going to give them a call right now. I'm going to see what they're going to do about it."

We caught James Rodriguez of Westport, Mass., at work: "People make mistakes, but how do you do that? Makes you not want to re-up with them, especially with what I'm paying. I have no idea what someone can do to me with that data."

It's unclear what one can do with the information contained in the file. There are no credit card numbers, but there are account ID numbers. And on Yankees.com, licensees need only their account ID number and password to access their accounts. With the spreadsheet, we have all the account IDs and can probably guess more than a few passwords via spouse's names, street names, and good old "abc123." At the very least, the list email addresses are valuable to spammers. Much like this month's Epsilon email breach, those listed in the Yankees' file could see an increase in spam and phishing attacks, and some licensees already report an increase in junk mail and unsolicited phone calls.

These numbers are fascinating in light of the Yankees' repeated refusal to comment on their ticket sales, at a time when the stadium is obviously not full every night. The contents of the files are ripe for analysis. Members of the NYYfans.com message board are already deciphering the data, and one person made an attempt at crunching some of the raw numbers. His post is apparently gone now, but in an attempt to pin down just how many tickets the Yankees have sold for this year, he came up with:

2,179,237 total subscriber tickets sold
26,904 full season equivalents
17,686 separate subscriber accounts

He also gives a rough estimate for total non-premium season ticket revenue as $131,978,910.

Here's a hint of how the data was packaged, with potentially identifying information blacked out.

We're parsing the spreadsheet, too, and will have much more on this soon. But we're refraining from posting the actual file. We are working on a way for fans to check if their information has been compromised, but know that if you bought any 2011 non-premium Yankees season tickets, you are on the list. We'd love to know if the Yankees have contacted you regarding the breach, and what they've offered to do to fix it, so please email us with your stories.

UPDATE: The Yankees have responded with this email to all season ticket subscribers. The subject line was blank.

We are writing to inform you about an accidental electronic distribution of information that you have previously supplied to the New York Yankees.

Monday evening, April 25, 2011, an employee of the Yankees sent an e-mail to several hundred Yankees Season Ticket Licensees. The e-mail mistakenly attached an internal Yankees spreadsheet that listed the following information associated with your New York Yankees account:

• Your name, and the address, phone number(s), fax number, and e-mail address that you previously provided to the Yankees.
• Your seat numbers, Yankees account number, Yankees account representative name, and the ticket package code associated with your account.

NO OTHER INFORMATION WAS INCLUDED IN THE DOCUMENT THAT WAS ACCIDENTALLY ATTATCHED TO THE APRIL 25TH E-MAIL. THE DOCUMENT DID NOT INCLUDE ANY BIRTH DATES, SOCIAL SECURITY NUMBERS, CREDIT CARD DATA, BANKING DATA OR ANY OTHER PERSONAL OR FINANCIAL INFORMATION.

Please note, immediately upon learning of the accidental attachment of the internal spreadsheet, remedial measures were undertaken so as to assure that a similar incident could not happen again.

The Yankees deeply regret this incident, and any inconvenience that it might cause.

Sincerely,

[Your Personal Ticket Rep]
Account Executive, Season Ticket Sales & Service
27-Time World Champions
New York Yankees
Yankee Stadium Ticket Office
One East 161st Street
Bronx, New York 10451