[Dataloss] Museum of Science in Boston MA posts patrons data

[Henry Brown]

 From the Boston Globe

http://tinyurl.com/2mfcdv
March 28, 2008

The Museum of Science has notified 140 patrons that their names, credit 
card numbers, and other personal information were exposed on the 
museum's website because of a contractor's error, but officials said 
there has been no evidence of fraud or identity theft.

Museum officials mailed notices Wednesday to the affected credit card 
holders, who took classes at the museum. They also notified another 183 
people whose personal, but not financial, information was exposed. 
Officials learned March 13 that a file of information from the 
course-registration database, which also included contact information 
and credit card expiration dates, could be reached through the museum's 
website.

A museum spokesman said the file's visibility was an inadvertent 
mistake, not a malicious attack. The information was supposed to be 
stored on the internal server.

"There's no indication the information was accessed for improper or 
fraudulent purposes," said Sofiya Cabalquinto.

The exposed file was created in early 2007 by an information contractor 
working on the museum's computer systems. It included information about 
students' specific classroom requirements or health concerns, such as 
allergies, but Cabalquinto said associating the information with 
specific students would be difficult.

The file was immediately removed, she said. She was unable to say how 
long the information was available. Officials learned of the problem 
from someone outside the museum who stumbled upon the information during 
a random search.

"We take the privacy and security of our visitors' information very 
seriously and have taken steps to ensure such incidents do not recur in 
the future," the museum said in a statement.