Major League Lacrosse just sent an email to every player currently in its player pool—this includes inactive players—alerting them to the fact that the league accidentally exposed their personal information, including their social security numbers.
The email, which was forwarded to us by multiple recipients, reads:
We are sending you this e-mail to inform you of a data incident that occurred on Wednesday, August 23, 2017 that involves some of your personal information. We take the privacy and protection of your information very seriously, and accordingly recommend that you closely review the information provided in this email for steps that you may take to protect yourself against the potential misuse of your information.
On Thursday, August 24, 2017, we became aware that a link on our player pool registration inadvertently linked to an excel spreadsheet which contained your full name, address, telephone number, email address, Social Security number, citizenship, date of birth, height, weight, position, college, graduation year, team, and non-MLL occupation. Upon discovery, we immediately disabled this link and began an investigation into the matter.
Although the investigation has just begun and is very much ongoing, given the sensitive nature of the information, we wanted to notify you of the incident now. We will be sending you a formal notice once further information is learned, including access to prepaid credit monitoring. In the meantime, we strongly advise you to immediately take the following steps:
1. Establish free 90-day fraud alerts with the three credit reporting bureaus. Their telephone numbers and websites are:
Equifax (888) 766-0008 https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp
Experian (888) 397-3742 https://www.experian.com/fraud/center.html
TransUnion (800) 680-7289
2. Consider placing a credit freeze on your accounts which will make it more difficult for someone to open an account. For more information:
3. If you become a victim of identity theft, file a complaint with the FTC at https://identitytheft.gov and law enforcement. The Federal Trade Commission also provides detailed and specific information about identity theft at their website, which we recommend you review.
We realize that this is a lot of information, but we wanted to provide you with immediate steps that you can take to protect yourself while this investigation is ongoing. You will receive further information as it is discovered. Please do not hesitate to call or e-mail us with any questions or concerns you may have.
Ryan Flanagan, a defender for the New York Lizards and a member of the MLL players’ council, provided a statement about the data breach to Inside Lacrosse. In it, he claims that players had previously complained about the league’s lack of data security, but that they were ignored:
This is unacceptable and inexcusable. The spreadsheet that was shared publicly with player information has been shared privately on more than one occasion. Players have previously requested that the file not be shared with anyone and that any files with player information be encrypted and password protected. This request was clearly ignored. On top of that, the issue of player information being shared publicly was brought to the attention of the league on Aug. 23. The league did not send a note to those impacted until Aug. 28. The individuals that were aware of the information breach went home for the weekend without making the players aware that their personal information was shared publicly. This is unacceptable.
We greatly appreciate Commissioner Gross offering prepaid credit monitoring to those impacted. However, the players of Major League Lacrosse have continued to create an outstanding on-field product for fans and deserve better treatment off-the-field in a variety of areas, including the protection of our personal information.