A summertime data breach exposed the names and email addresses of 174,000 Ontario Science Centre members, donors and others including customers for camps and birthday parties, the Star has learned.

Campaigner, a company that does email blasts for the provincially owned tourist attraction, informed the science centre on Aug. 16 that “someone made a copy of the science centre’s subscriber emails and names without authorization. No other personal identification, financial information or passwords were accessed.”

Ottawa-based Campaigner told the attraction that its investigation has since revealed that a former Campaigner employee’s credentials were used between July 23 and Aug. 7 to download data from the Science Centre account used for mailings, newsletters and invitations.

Article Continued Below

Campaigner has notified authorities and is providing assistance to help find the “perpetrator,” according to a science centre notice to email subscribers provided to the Star. The marketing company, part of U.S.-based j2 Global, did not respond Monday to a request for comment.

Vanessa Lu, a science centre spokesperson, told the Star her agency notified everyone whose information was compromised. Anyone with questions can email privacy@ontariosciencecentre.ca or call, on weekdays between 9:30 a.m. and 4:30 p.m., 416-696-3210.

The science centre is reviewing data security and retention policies, as did Campaigner, and notified Ontario Information and Privacy Commissioner Brian Beamish about the breach, Lu added.

Beamish told the Star that the Ontario Science Centre notified his office Oct. 3, one day after notices started going out to those affected.

Article Continued Below

“We have an open investigation, and our staff is working with the (Science Centre) to ensure the cause of the breach is fully investigated and that appropriate steps are being taken to contain the breach and prevent a reoccurrence,” Beamish wrote in an email.

Click to expand

“Under Ontario’s privacy law, it is not mandatory for public sector institutions to notify individuals who may be affected by a breach, but it is certainly a best practice and we encourage institutions to notify as soon as is reasonably possible.”