The St. Louis Classical Guitar Society, a local nonprofit music organization, sent out an alert this week to its e-mail list, warning members that the the company that runs its ticket services -- a San Francisco-based business called Vendini -- has been hacked. And for some who have purchased tickets through the society's website, that means their credit card data and personal information might have been compromised.
"This is hard for everybody," William Ash, president of the society, tells Daily RFT. "We are sorry for our patrons that this happened.... We are going to be totally transparent and make information available immediately."
What went wrong?
The breach in this case originated with Vendini, which the guitar society has contracted with over the last two years for its ticket services.
The company, in a statement sent to Daily RFT and in its message to the guitar society, says that, it detected an "unauthorized intrusion into its systems" which affected patrons who have used cards to make purchases through Vendini.
Vendini says that names and numbers may have been compromised and that it took "immediate steps to correct the problem, ensure the safety of patron information, and continue to provide all services without interruption." The service does not collect security access codes, like PINs, that are typically needed to complete a credit card transaction, the company notes.
For the guitar society, this means that members who used credit cards anytime between July of 2011 -- when it first started using Vendini -- through April 25 last month and directly entered credit card information into the Vendini system online could be affected. Transactions done in person or over the phone do not go through Vendini, Ash says.
(The guitar society may not be the only entity in St. Louis impacted by Vendini's breach).
Ash emphasizes that, with the help of Vendini, his organization should be able to identify everyone impacted and will send them personal e-mails alerting them, meaning that members who do not get additional messages from the guitar society should be safe. It could, however, be several hundred, but he doesn't know the specifics yet, he says.
Ash and Vendini officials both say that they are confident that as of April 25, the problem has been resolved and the systems are secure for use.
"I'm upset about this," Ash says, adding, "We'll do everything we can to make it right."
Vendini discovered the problem last month, but delayed notifying customers until recently, it says, in an effort to support federal law enforcement's investigation. Questions around possible delays in notification echo the controversy at Schucks, which is facing lawsuits alleging that the supermarket chain took too long to tell customers.
Continue for more from William Ash and for the full statement and alert from Vendini.
"Of course, we would've liked to have known about this sooner," says Ash, adding that he alerted his members as soon as he found out.
"This came out of the blue," he says, later adding, "It sounds like this could've happened to any business."
The society brings well-known guitar performers to St. Louis and also does guitar education work in local public schools. It is currently prepping for a June 9 gala. Ash emphasizes that it is safe to buy tickets online -- but if people are worried, they can buy over the phone or in person.
Mark Tacchi, president and CEO of Vendini, says in a statement:
On April 25, we identified an unauthorized access to a database system containing credit card information. It is important to note we do not collect credit card security access codes (e.g., CVV, CVV2, PINs), information that is typically needed to complete a credit card transaction. While the scope of this is under investigation, we are taking this matter extremely seriously.
We took immediate steps to correct the problem, ensure the safety of patron information, and continue to provide all services without interruption. Our business is built on our ability to provide trusted services to our members and their patrons. We are working diligently to fully investigate this matter and prevent it from happening again.
We are working closely with outside computer forensic and cyber security experts, law enforcement officials, our client members, our merchant banks and credit card companies to see this matter fully investigated and to ensure that consumer-patrons are protected.
And here's the full e-mail Ash sent to his members, which includes Vendini's original message to the St. Louis Classical Guitar Society:
TO OUR VALUED MEMBERS, PATRONS, AND FRIENDS:
Yesterday we received this communication from our on-line ticket-selling service, VENDINI Incorporated. You are getting this alert because your email address is in our mailing list data base in the Vendini system. In most cases your name, address and often your phone number are also contained there as well.
If you have joined as a member, made ticket purchases, or donated to any of our programs with a credit card at some time between July 20 2011--when we first began using Vendini--and up through April 25 last month by directly entering your credit card information manually into the Vendini system while navigating through our website, this alert is most relevant to you.
If you have joined as a member, made ticket purchases, or donated to any of our programs with a credit card in person (such as purchasing tickets or other items at the door of the concert) or over the phone, we in turn convey this information directly to our bank, and it does not go through Vendini. In this case the intruders may still have gotten your name, address, phone number, and email address.
Vendini has promised us that by tomorrow their system engineers will send us a full list of everyone in our data base whose credit card information was on file and is at risk. We will immediately send a notice to you if you are in this group. If you do not hear from us you may assume that only your name, address, phone and email was at risk--in which case just be very vigilant about any strange or unusual correspondence that is sent you from unknown sources.
A Vendini representative told me over the phone that the delay in informing us of what they've known since late May of this year was required by federal investigators looking into this situation. I have no way to verify if this is accurate. But needless to say, this situation concerns us greatly. If we are dissatisfied with the company's responses and willingness to provide full restitution to our patrons we will indeed change services.
Their policy statement on liability and security issues may be found at: http://www.vendini.com/privacy/
Rest assured, we are on your side on this issue. We will not hold back or hide information from you. We have your best interests at heart.
You have my word on it.
Bill Ash President
Below is a summary of two emails sent to us yesterday. It includes all the essential information we have received.
FROM: Mark Tacchi President and CEO VENDINI TICKET-SELLING SERVICE
We regret to inform you that on April 25, 2013, Vendini detected an unauthorized intrusion into its systems. This incident affected our members' patrons who have used a credit card to make a purchase for an event that was processed through Vendini services.
We are actively cooperating with federal law enforcement, and this notification to you was delayed to support law enforcement's investigation. In addition, a full-scale, internal investigation is under way at Vendini with computer forensic and cyber security experts. Although our internal investigation is ongoing, we believe that in late March, a third-party criminal actor used hacking technologies to access our databases and may have accessed personal information, such as name, mailing address, email address, phone number, and credit card numbers and expiration dates that belong to our members' patrons. We do not collect credit card security access codes (e.g., CVV, CVV2, PINs) or social security numbers, patron usernames or passwords.
Upon discovering this intrusion, we engaged computer forensic and cyber security experts to commence an investigation. We implemented enhanced security measures designed to prevent a recurrence of this type of incident. At this time, we do not believe that this incident affects sales after April 25, 2013.
In the next day or so, Vendini will as appropriate directly notify certain affected patrons to provide information resources and encourage them to take steps to protect themselves from potential unauthorized use of their credit card.
If you suspect that you may be a victim of identity theft or fraud, immediately contact your local law enforcement agency, your State Attorney General's office and the Federal Trade Commission. We have enclosed a Resources Guide for your reference. Do NOT respond to any requests for sensitive personal information in relation to this incident. Vendini will never request such information via email or telephone unless it is absolutely necessary to respond directly to you regarding how this incident may impact you.
We sincerely regret this incident. Protecting data privacy and security is a top priority for our company. For more information regarding this incident, please contact us toll-free at 1-800-836-0473 or visit us at www.vendini.com/info.
Mark Tacchi President and CEO