Steamboat Springs A mass e-mail mistakenly sent Thursday morning by Steamboat Ski and Resort Corp. staff contained personal information of hundreds of Ski Corp. customers.
The information included names, phone numbers, home addresses and e-mail addresses.
"We have verified that an e-mail was inadvertently sent out to a portion of the resort's customer database, and in some cases, that e-mail contained some limited, basic guest reservation information," said Andy Wirth, vice-president of sales and marketing for Ski Corp. "However, no financial data, such as credit card information, was included in that e-mail."
Wirth said the e-mail was sent late Thursday morning. Under the heading "Regarding Your Steamboat Vacation," the e-mail thanks customers for their reservations and describes how to contact the ski area's Ski and Snowboard School.
Attached to the e-mail is a spreadsheet containing personal information for 399 customers.
"We take this matter very seriously, and we take the privacy of our guests very seriously," Wirth said. "We have begun an internal effort to thoroughly review this matter and make sure it does not happen again. Our primary focus has been getting in touch with the customers involved, and we have a team working on a thorough assessment and review."
Wirth said he did not know how many people may have received the e-mail, but acknowledged that Ski Corp.'s customer database contains thousands of entries.
"We are an organization that communicates quite frequently with our guests via e-mail," Wirth said.
Russ Ogden, 41, of Dallas, said he vacations in Steamboat a couple of times every year and is a member of the ski area's mailing list. Ogden said he was surprised to open the attachment on Thursday's e-mail.
"I'm an IT security person, and there's a lot of privacy information in that list," Ogden said. "If I was on the list, I would have been livid."
Douglas said he has testified before Congress on eight separate occasions, and his work has influenced numerous state and federal identity theft laws.
"What's happened here is they've sent an aggregated file to everyone on a mailing list," he said. "There could be civil ramifications for that - the people who are listed here have certainly been put at risk of identity theft."
Douglas said while the spreadsheet does not contain Social Security or credit card numbers, "there is enough information that even the most casual identity thief could obtain more information on these people."
Douglas said that under the 1999 Gramm-Leach-Bliley Act, a federal privacy law, travel agencies are considered financial institutions and must comply with the act, which states that even the name and address of a customer is protected information.
Douglas suggested Ski Corp. consider offering a year of credit monitoring to the individuals named on the list.
According to the Privacy Rights Clearinghouse, a nonprofit consumer information group, more than 100 million data records of U.S. residents have been exposed due to security breaches since February 2005.
"It's horrifying how frequently this happens in the corporate universe," Douglas said. "Who of us hasn't sent an e-mail where as soon as you hit the send button (you regret it)? It's a careless mistake, but it's a careless mistake that can have serious ramifications."
In May 2006, President Bush commissioned an Identity Theft Task Force and said U.S. citizens lose an estimated $50 billion a year to identity theft.
Wirth said Ski Corp. has always worked to "maintain the highest levels of privacy" for its customers.
"This is the first time I can recall anything like this happening," Wirth said. "Our focus right now is on reaching those guests and communicating with them on a personal basis. We'll see what the review and assessment reveals."
- To reach Mike Lawrence, call 871-4203
or e-mail firstname.lastname@example.org