Online Ticketer Vendini Hit by Hack, Warns Customers a Month Later
The latest data breach victim is online ticket vendor, Vendini, hit by a hack that has compromised at least one million accounts. That's bad enough, but Vendini also stumbled badly in its damage control.
A few months ago, I bought a theater ticket to see a dark little play called “A Behanding in Spokane.” Now I feel like I’ve been behanded. That’s because I used a giant online ticket vendor called Vendini to buy those tickets. Now it turns out that Vendini has been hacked, and the bad guys may well have my credit card information.
There have been so many data breaches and credit card hacks that most of us know the drill. Check your bank and credit card statements and change your passwords and if necessary notify a credit reporting agency. What infuriates me about this particular incident is how poorly Vendini appears to have handled it.
I got an email from Vendini on May 23 that says: “We regret to inform you that on April 25, 2013, Vendini, Inc. detected an unauthorized intrusion into its systems.” Excuse me? April 25? That’s nearly a month between the discovery of the hack and the arrival of that email, which means the bad guys had weeks to pillage my accounts, and hundreds of thousands, maybe millions, of people who have used the service. (Vendini also posted the message online.)
Why didn’t the company notify us? Says Vendini: “We are actively cooperating with federal law enforcement, and this notification to you was delayed specifically to support law enforcement’s investigation.” That’s nonsense. It’s one thing to keep certain details of a crime from the public; it’s quite another to withhold that information from potential victims.
Vendini says that it does not store CVC numbers (the three-digit authorization code on the back of a credit card), so that makes a hack somewhat less likely. However, not all online sites require a customer to use the CVC number, and other information stored with Vendini could be used to ferret out other financial information.
Naturally, I asked Vendini about this and have yet to get a reply to that question or information on how many accounts are at risk and what security measures the company has taken to keep this from happening again.
Since I use more than one debit and credit card, and the email gave no hint of which account may have been hacked, I’ve had to check every single one of those statements looking for bogus charges. So far so good.
In the first three months of 2013, there were at least 131 significant data breaches, involving more than 800,000 accounts, according to the Identity Theft Resource Center. This is really out of hand. There’s simply no excuse for vendors to hide for weeks that the bad guys have accessed personal data.
San Francisco journalist Bill Snyder writes frequently about business and technology. His work appears regularly in CIO.com and the publications of Stanford's Graduate School of Business and the Haas School of Business at the University of California at Berkeley. He welcomes your comments and suggestions.