I see two places where there is a potential for trouble. First, when you are reading in from the Spreadsheet. Second, when you are writing to the serialized object.
Not sure what your access modifiers are on the two methods, but yes, two users can potentially corrupt the read and/or writes.
What kind of access does the method (you posted) in the service allow?
Since it is in turn calling the loadSpreadSheet() method, restricting access to this method should suffice your need. But if you want a less obtrusive way, just synchronize the serialized object and go from there.