Museum says data of patrons was public

The Museum of Science has notified 140 patrons that their names, credit card numbers, and other personal information were exposed on the museum's website because of a contractor's error, but officials said there has been no evidence of fraud or identity theft.

Museum officials mailed notices Wednesday to the affected credit card holders, who took classes at the museum. They also notified another 183 people whose personal, but not financial, information was exposed. Officials learned March 13 that a file of information from the course-registration database, which also included contact information and credit card expiration dates, could be reached through the museum's website.

A museum spokesman said the file's visibility was an inadvertent mistake, not a malicious attack. The information was supposed to be stored on the internal server.

"There's no indication the information was accessed for improper or fraudulent purposes," said Sofiya Cabalquinto.

The exposed file was created in early 2007 by an information contractor working on the museum's computer systems. It included information about students' specific classroom requirements or health concerns, such as allergies, but Cabalquinto said associating the information with specific students would be difficult.

The file was immediately removed, she said. She was unable to say how long the information was available. Officials learned of the problem from someone outside the museum who stumbled upon the information during a random search.

"We take the privacy and security of our visitors' information very seriously and have taken steps to ensure such incidents do not recur in the future," the museum said in a statement.