University of Michigan Union Ticket Office patrons' personal information at risk after database breach
Credit card information belonging to 33,260 people who have bought tickets at the University of Michigan Union Ticket Office over a 20-month period may have been stolen, according to a school official.
Angela Cesere | AnnArbor.com
U-M was informed of the breach on May 21 but waited until Wednesday, June 12, to inform patrons by email. The school waited 22 days to inform people because it was fact-finding and coordinating with the San Francisco-based vendor, U-M Director of Communications Kelly Cunningham said.
Names, mailing addresses, phone numbers and credit card numbers and expiration dates were all possibly stolen in the breach.
"Although our internal investigation is ongoing, we believe that in late March, a third-party criminal actor used hacking technologies to access our databases and may have accessed personal information," a Vendini release said.
The information of anyone who purchased from the office —either in-person or online— between September 1, 2011, and April 25, 2013, is vulnerable.
"We're making sure they're looking into it, that they fixed it right away," Cunningham said. Vendini says that in addition to the criminal investigation it is conducting its own internal investigation into the breach.
Cunningham said the ticket office is still using Vendini to handle credit card purchases.
"We are also speaking with them about the breach to ensure that the issue is resolved for the future," she added.
The ticket office sells tickets to a wide range of performances, including shows at The Ark, the Power Center and Hill Auditorium, among others. The box office offers tickets to both student and professional performances as well as discounted Cedar Point admission tickets during the summer. The office also serves as a location for validating student football tickets to non-student users.
Vendini is suggesting that affected customers avoid responding to any requests for sensitive personal information in relation to this incident and regularly view their credit card account statements for any unauthorized activity.
U-M sent an email to ticket office patrons on Wednesday around 6 p.m. Cunningham said the Vendini also is contacting patrons separately.
Correction: This article had been corrected to reflect that box office transactions that occurred over a 20-month period are vulnerable.
Business reporter Ben Freed contributed to this article.