The names and email addresses of 174,000 members, donors, and customers of camps and birthday parties at the Ontario Science Centre were exposed in August, according to the company that does email blasts for the provincially owned tourist attraction.
The breach was made public Monday evening when the Science Centre alerted its newsletter subscribers, although the Science Centre has been aware of the breach since August 16 when they were alerted by Campaigner, an Ottawa-based firm the Science Centre uses for email campaigns.
The alert sent to those affected stated that no other personal information was exposed.
According to the investigation by Campaigner, the breach occurred when a former employee’s credentials were used between July 23 and August 7 to access and download data from the Science Centre account that houses data related to mailings, newsletters, and invitations.
Campaigner will also be cooperating to help track down the perpetrator, according to the alert sent by the Science Centre.
Vanessa Lu, a spokesperson for the Ontario Science Centre, told the Toronto Star that Brian Beamish, the Ontario Information and Privacy Commissioner, was alerted by the Science Centre on October 3, and added that both the Science Centre and Campaigner will be reviewing their data security and retention policies.
“We have an open investigation, and our staff is working with the (Science Centre) to ensure the cause of the breach is fully investigated and that appropriate steps are being taken to contain the breach and prevent a reoccurrence,” Beamish wrote in an email to The Star. “Under Ontario’s privacy law, it is not mandatory for public sector institutions to notify individuals who may be affected by a breach, but it is certainly a best practice and we encourage institutions to notify as soon as is reasonably possible.”