Back on May 22, this blog reported that Vendini, an online ticketing service provider, had experienced a hack on March 29 that they detected on April 25. Names, addresses, email addresses, credit card numbers and credit card expiration dates were on the hacked server.
The firm started notifying its clients during the week of May 21, but taking the position that as a service provider, they did not own or license the personal information of the clients’ customers, they only notified their clients (“members”) and not the individuals/patrons of those members.
In a follow-up letter to the New Hampshire Attorney General’s office dated June 21, Keith Goldberg, the Vice-President of Marketing, writes that the firm has been assisting members who requested help with notifying patrons and has been monitoring the notification process. Of note, he reports that two months after the breach was detected and one month after members were notified, some members have not notified their affected patrons of the breach.
In response, and maintaining their position that they are under no obligation to do so, Vendini has voluntarily undertaken to contact affected patrons if the members want them to.
By its own statement, Vendini provides box-office and online ticketing services to hundreds of Vendini members, which include tour, casino, sports, arts, and entertainment venues and promoters across the U.S. and Canada. The firm has not disclosed how many patrons, total, were affected by this breach, but does note that they are not aware of any confirmed instances of financial fraud attributable to this incident.