Thursday, July 16, 2009

Boston Ballet School Data Breach

On Monday, July 13, 2009, the Boston Ballet School sent an email message to current and past students and supporters with the subject "High Tea with Miss Sydney Leonard". This email message contained an event invitation and a link to an evite for the event. However, it also contained something far less innocuous.

Attached to the email message was a 1MB Excel spreadsheet named "2005-2009 students.XLS". Opening this spreadsheet revealed a list of over 3,700 Boston Ballet school families and supporters, including their names, mailing addresses, telephone numbers, and Boston Ballet membership levels and expiration dates.

The next day, July 14, the School sent out another email message which read as follows:

Dear Boston Ballet School families and Alumni:

Boston Ballet School wishes to apologize for a recent email you received which included an invitation to Miss Sydney Leonard’s High Tea Party. The email contained an attachment that was not intended to nor should have ever been released. We are looking into this matter and ways to further our security efforts by protecting all families, patrons and other constituents associated with Boston Ballet. We hold the privacy of all patrons, both former and current, with the highest regards and once again apologize for this error.

Sincerely,
Boston Ballet School Administration

It is not clear whether the school intends to also notify in writing the individuals whose data were exposed. A cursory reading of Massachusetts law seems to suggest that they are not required to do so, since the exposed data did not include social security, driver's license, or account numbers.

I am publicizing this incident for several reasons:
  1. Raising public awareness of the frequency of incidents like this one is important.
  2. As embarrassed as I'm sure the School is about this incident, and as sincere as I am sure they are about preventing it from happening again, the bright light of public exposure tends to do a better job than private mea culpas of preventing recurrences.
  3. I am hopeful that publicizing the incident will compel the School to provide to the affected parties a more complete accounting of how this happened and what has been done to prevent it from happening again.

I am publicizing this incident anonymously because I do not wish resentment from the school administration related to the publication of this incident to impact my child's standing there.