You are viewing this article in the archives. For the latest breaking news and updates in Ann Arbor and the surrounding area, see
Posted on Thu, Jun 13, 2013 : 10:48 a.m.

University of Michigan Union Ticket Office patrons' personal information at risk after database breach

By Kellie Woodhouse

Credit card information belonging to 33,260 people who have bought tickets at the University of Michigan Union Ticket Office over a 20-month period may have been stolen, according to a school official.


Angela Cesere |

Vendini, Inc., the company that handles credit card transactions for the box office, announced that an “unauthorized intrusion into its systems” was detected April 25.

U-M was informed of the breach on May 21 but waited until Wednesday, June 12, to inform patrons by email. The school waited 22 days to inform people because it was fact-finding and coordinating with the San Francisco-based vendor, U-M Director of Communications Kelly Cunningham said.

Names, mailing addresses, phone numbers and credit card numbers and expiration dates were all possibly stolen in the breach.

"Although our internal investigation is ongoing, we believe that in late March, a third-party criminal actor used hacking technologies to access our databases and may have accessed personal information," a Vendini release said.

The information of anyone who purchased from the office —either in-person or online— between September 1, 2011, and April 25, 2013, is vulnerable.

"We're making sure they're looking into it, that they fixed it right away," Cunningham said. Vendini says that in addition to the criminal investigation it is conducting its own internal investigation into the breach.

Cunningham said the ticket office is still using Vendini to handle credit card purchases.

"We are also speaking with them about the breach to ensure that the issue is resolved for the future," she added.

The ticket office sells tickets to a wide range of performances, including shows at The Ark, the Power Center and Hill Auditorium, among others. The box office offers tickets to both student and professional performances as well as discounted Cedar Point admission tickets during the summer. The office also serves as a location for validating student football tickets to non-student users.

Vendini is suggesting that affected customers avoid responding to any requests for sensitive personal information in relation to this incident and regularly view their credit card account statements for any unauthorized activity.

U-M sent an email to ticket office patrons on Wednesday around 6 p.m. Cunningham said the Vendini also is contacting patrons separately.

Correction: This article had been corrected to reflect that box office transactions that occurred over a 20-month period are vulnerable.

Business reporter Ben Freed contributed to this article.

Kellie Woodhouse covers higher education for Reach her at or 734-623-4602 and follow her on twitter.



Fri, Jun 14, 2013 : 3 p.m.

@A2comments: The Michigan League Ticket Office uses the Tessitura ticketing system. The League isn't associated with the Michigan Union Ticket Office or any other ticket broker service.

Sheila Parsons

Fri, Jun 14, 2013 : 2:36 p.m.

Bought tickets through U of M Ticket Office in April. The fraud department at Visa notified me within a week that I my card had been charged $53.00 worth of takeout in Chicago (I lived in TX at the time) . and had ordered a credit check at Equifax. Cancelled the card, and when the new one arrived, the last 4 digits were the same as my social security number. Had to cancel the card immediately, and although the Visa folks called it a "coincidence," I cannot believe that. I am very glad that I have the Visa fraud people watching my back, and whenever I have travel plans or a large purchase, I notify them.


Fri, Jun 14, 2013 : 12:26 p.m.

On March 20, 2013, two fraudulent internet purchases were charged to my personal credit card, the one I have used to purchase tickets at the Michigan Union Ticket Office. These timing of these two transactions fit well within the timeline stated by Vendini, i.e. that the hacking occurred in late March. I review my credit card transactions online weekly, so I noticed these two unauthorized transactions quickly, notified my credit card company and cancelled the card immediately. Because I was just about to leave for a vacation, and had secured all my vacation arrangements with the old card, the problem caused me great inconvenience, not to mention having to cooperate with a credit card company that always assumes, in the first instance, that the cardholder has either forgotten he/she *really* placed the fraudulent transactions at issue, or is simply lying about them to avoid payment. What a headache. BE CAREFUL and monitor your statements closely. These security breaches seem to be increasing in frequency.


Fri, Jun 14, 2013 : 10:42 a.m.

Is this part of the problem of Chinese hacking? I bet the company knows the country of origin of the hackers. The reason I ask is that if it was Chinese hackers it would put a more personal face on the problem of Chinese hackers. Some of the Chinese hacking is for military secrets but much of it is for profit. Shanghai Jiao Tong University, were Michigan's Chinese campus is located, has an entire institute dedicated to "Internet Security" and was the source of the hacking into Google and other businesses. They have hacking clubs for students at SJTU. Undoubtedly they contribute to the Chinese hacking problem.


Fri, Jun 14, 2013 : 10:42 a.m.

Who does the Michigan League Ticket Office use? There are requirements for encryption of credit card data. How did this company avoid those? How could U of M not make sure that all their credit card processors comply with this well-known requirement?


Fri, Jun 14, 2013 : 5:05 a.m.

How about the $3 convenience fee per ticket when you purchase online with a credit card. Does not seem convenient right now..


Thu, Jun 13, 2013 : 11:18 p.m.

This is why Cash still remains King.


Fri, Jun 14, 2013 : 12:03 a.m.

Yes, I do. And so does cash. :-) Seriously, this kind of breach is not acceptable.


Thu, Jun 13, 2013 : 11:16 p.m.

So what "facts" did they "find" during those 22 days that they unilaterally and unknowingly put their customers at risk? I guess they had to get the PR stuff in order first. Gotta have your priorities.


Thu, Jun 13, 2013 : 8:29 p.m.

Does the University of Michigan Union Ticket Office have to use Vendini, Inc for their customers' credit card purchases? If Vendini, Inc has not identified how their system was hacked how can they guarantee that they will not be hacked again?


Thu, Jun 13, 2013 : 8:23 p.m.

If the previous statements are true and this is the second security time their security has been breached, the U should definately look for a company that can keep its records secure. This is not funny and if peoples cards are used it will be major headaches for them. They need to use a company that can be trusted.


Thu, Jun 13, 2013 : 8:19 p.m.

Vendini should pay for identity theft protection from those affected by their poor security procedures. If not, Mich U should sever their ties to this second rate company.

Paul Wiener

Thu, Jun 13, 2013 : 7:29 p.m.

Vendini also suffered a criminal breach half a year ago via the Purple Rose theatre - its patrons were warned. They too continue inexplicably (to sane people) to use Vendini. Needless to say, I'll never buy tickets on credit with either Purple Rose or U-M Ticket Office again, and I hope no one else does.

Nicholas Urfe

Thu, Jun 13, 2013 : 7:08 p.m.

Another major delay by the University in disclosing information the public has an interest in knowing. Is there an official "Office of witholding information" at the U?


Thu, Jun 13, 2013 : 7:07 p.m.

Same company and same problem for patrons of the Purple Rose Theater. PRT sent out notification last week.


Thu, Jun 13, 2013 : 5:16 p.m.

I've left messages with both U of M and Vendini asking which of my cards they have on file. I've never been a victim of identity theft and hope I won't be one now.


Thu, Jun 13, 2013 : 4:48 p.m.

The article says credit card info was stolen for people who bought tickets "over a 32-month period," but the dates given are September 1, 2011 -- April 25, 2013, which is only 20 months. Which is correct? If it was 32 months, when was it? Please clarify.

Kellie Woodhouse

Thu, Jun 13, 2013 : 5:10 p.m.

It was a 20-month period. I am not quite sure how that mistake happened and I apologize. A correction should be live soon.


Thu, Jun 13, 2013 : 4:37 p.m.

That's part of what you get for your HUGE season ticket price! They were too busy trying to figure out how to get more money from season ticket holders!


Thu, Jun 13, 2013 : 7:56 p.m.

Guess I jumped the gun. My mistake. Saw the headline then saw red.


Thu, Jun 13, 2013 : 6:49 p.m.



Thu, Jun 13, 2013 : 6:36 p.m.

The Michigan Union Ticket Office doesn't have anything to do with the Athletic Department ticket office. MUTO sells concern tickets and special events.


Thu, Jun 13, 2013 : 3:58 p.m.

It's odd that Vendini notified me directly about this breach several days ago, due to purchases through them for a non-MUTO venue. I'm not sure why U of M waited several more days to notify - it seems to me that people were left unnecessarily unaware of the risk they were facing.


Fri, Jun 14, 2013 : 11:07 a.m.

I agree - It was weird that I got an e-mail from Vendini that said NOTHING about Michigan. It only had a Maryland address on it. I thought it was junk mail until a few days later MUTO sent a message.

Alan Goldsmith

Thu, Jun 13, 2013 : 3:44 p.m.

"U-M was informed of the breach on May 21 but waited until Wednesday, June 13, to inform patrons by email." This is not acceptable. Fact finding? This information should should gone out to customers immediately. So their advice (U of M and Vendini) is watch your credit card statemens and we'll see ya around?

Ben Freed

Thu, Jun 13, 2013 : 3:02 p.m.

You can read a full statement from Vendini Inc. here on their blog: