More details emerge on extent of ticketing company breach

Share this article:
More details emerge on extent of ticketing company breach
More details emerge on extent of ticketing company breach

After filing a Freedom of Information Act (FOIA) request, a researcher has uncovered more details on the extent of a breach impacting a third-party ticketing service provider.  

On Tuesday, a researcher and curator for the nonprofit Open Security Foundation, who goes by the online name “Dissent Doe," revealed that more than 34,000 North Carolina residents who booked tickets through San Francisco-based Vendini's ticketing system were impacted. Breaches affecting the personal information of residents in the Tar Heel State are required to notify the attorney general's office.

Vendini provides ticketing services for hundreds of business in the United States and Canada, which includes tour operators, casinos and venues for arts, entertainment and sporting events.

On March 29, intruders accessed a database belonging to the company, exposing customer credit card numbers and expiration dates, names, phone numbers and physical and email addresses, said CEO Mark Tacchi, who posted the details on Vendini's blog in May.

That month, it surfaced that nearly 23,000 individuals in Maine were reportedly impacted, and in June, news broke that more than 33,000 customers of the University of Michigan's Ticket Office were victims.

On Wednesday, Keith Goldberg, vice president of marketing at Vendini, told SCMagazine.com that the credit card data accessed by hackers was encrypted, though other compromised information was not.

He declined to comment on how many businesses Vendini services, but confirmed that “all of them” were impacted by the breach.

On whether instances of fraud or identity theft have surfaced as a result of the incident, Goldberg said no.

"There's been no confirmed cases," he said. "There's nothing that definitely ties back to this [breach].”

Dissent Doe, who works professionally in the health care space, has published a running list of the venues and businesses reporting data breaches to their customers as a result of using Vendini's services.

The incident is a reminder that companies to check their contracts with vendors or contractors that handle sensitive data. In most cases, the burden to notify breach victims will fall on the customer, not the third-party provider like Vendini.

“Why Vendini is allowing this to dribble out instead of just being more upfront about the numbers involved escapes me,” Dissent Doe said. “But significantly, a number of their clients were unpleasantly surprised to discover that their contracts with Vendini did not require Vendini to make the patron notifications and that it was on them to do so.”

Share this article:

Sign up to our newsletters

More in News

New backdoor 'Baccamun' spreads through ActiveX exploit

Symantec researchers revealed that the backdoor is dropped after attackers exploit a Windows ActiveX vulnerability.

Outdated browsers put U.K. users at risk of malware

A blog post on Check and Secure website said 70 percent of U.K. users haven't fully updated their internet browsers

Survey: 53 percent change privileged logins quarterly

A Lieberman Software survey highlights the issue or poor password management, even among security pros.