Skifield operator Ruapehu Alpine Lifts today emailed customers to say its database security had been tightened, after personal details were found to be accessible to those who knew names and birthdates.
The oversight on the Mt Ruapehu skifield website had been remedied, marketing manager Mike Smith told customers in the email.
While no financial or payment information was kept on the website, from the beginning of April visitors could access the home addresses, phone numbers and email addresses of 18,000 pass holders.
Customers accessed the database only when buying a season pass.
The amount of information required had now been reduced, after complaints from "a number of customers", Mr Smith said.
The Office of the Privacy Commissioner contacted website operator Ruapehu Alpine Lifts, which today added password protection to the site.
Alpine Lifts then removed "all external access" to the database.
"We would like to assure customers who have already bought a 2009 season pass that their information can not be accessed by anyone outside of the company and apologise for any alarm this situation may have caused."