After filing a Freedom of Information Act (FOIA) request, a researcher has uncovered more details on the extent of a breach impacting a third-party ticketing service provider.
On Tuesday, a researcher and curator for the nonprofit Open Security Foundation, who goes by the online name “Dissent Doe," revealed that more than 34,000 North Carolina residents who booked tickets through San Francisco-based Vendini's ticketing system were impacted. Breaches affecting the personal information of residents in the Tar Heel State are required to notify the attorney general's office.
Vendini provides ticketing services for hundreds of business in the United States and Canada, which includes tour operators, casinos and venues for arts, entertainment and sporting events.
On March 29, intruders accessed a database belonging to the company, exposing customer credit card numbers and expiration dates, names, phone numbers and physical and email addresses, said CEO Mark Tacchi, who posted the details on Vendini's blog in May.
That month, it surfaced that nearly 23,000 individuals in Maine were reportedly impacted, and in June, news broke that more than 33,000 customers of the University of Michigan's Ticket Office were victims.
On Wednesday, Keith Goldberg, vice president of marketing at Vendini, told SCMagazine.com that the credit card data accessed by hackers was encrypted, though other compromised information was not.
He declined to comment on how many businesses Vendini services, but confirmed that “all of them” were impacted by the breach.
On whether instances of fraud or identity theft have surfaced as a result of the incident, Goldberg said no.
"There's been no confirmed cases," he said. "There's nothing that definitely ties back to this [breach].”
Dissent Doe, who works professionally in the health care space, has published a running list of the venues and businesses reporting data breaches to their customers as a result of using Vendini's services.
The incident is a reminder that companies to check their contracts with vendors or contractors that handle sensitive data. In most cases, the burden to notify breach victims will fall on the customer, not the third-party provider like Vendini.
“Why Vendini is allowing this to dribble out instead of just being more upfront about the numbers involved escapes me,” Dissent Doe said. “But significantly, a number of their clients were unpleasantly surprised to discover that their contracts with Vendini did not require Vendini to make the patron notifications and that it was on them to do so.”