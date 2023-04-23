UW-Eau Claire’s event ticketing vendor experienced a security breach from Feb. 14 to Feb. 28, potentially affecting students, faculty and community members who bought tickets to attend university events.
Grace Crickette, vice chancellor for finance and administration, said UW-Eau Claire has been using AudienceView’s Campus product for event ticketing since the contract started with the company on June 11, 2020. The university has not been notified of other security breaches with this product in the past.
Crickette said UW-Eau Claire was notified by AudienceView on Feb. 22 that a security incident had occurred, and then on Feb. 23, AudienceView began disclosing to university clients that there had been a security breach with the Campus product.
“As a UW-Eau Claire vendor, AudienceView assumed a legal and contractual responsibility to secure the personal information of its users,” Crickette said. “After the breach, AudienceView communicated to UW-Eau Claire, and other universities, about the breach as required by their contractual agreement.”
AudienceView told the university 255 people who purchased tickets for UW-Eau Claire events had potentially been affected by the security breach, Crickette said. The university was able to confirm 54 out of the 255 people were students, faculty or staff who had used university-affiliated emails when purchasing tickets.
In a letter sent on March 28 to ticket buyers, AudienceView said buyers’ names, billing addresses, shipping addresses, email addresses and payment information could have been compromised between Feb. 14-Feb. 28.
The letter also included ways for ticket buyers to protect their personal information, such as credit monitoring and restoration through Cyberscout and contact information for credit reporting bureaus Equifax, Experian and TransUnion.
Crickette said if people receive a letter from AudienceView, they should take advantage of the credit monitoring options, but that most of UW-Eau Claire ticker buyers were not affected.
“Most of our ticket buyers were not impacted. AudienceView corrected the system and we were able to bring the system back up and people were able to continue buying tickets without issue,” Crickette said.
After AudienceView notified potentially impacted ticket buyers, Crickette said Director of Risk Management, Safety and Sustainability Brian Drollinger sent an email to the 255 people assuring them that the letter from AudienceView was legitimate.
“It has come to our attention that you recently received a letter from AudienceView Corporation regarding a security incident that occurred with their product. Even though the university’s network was not involved, we are contacting you so that you know that the letter you received from AudienceView is authentic and you can take advantage of their offer for credit monitoring,” Drollinger said in the email.
On March 9, Academic Affairs sent an email on behalf of Kent Gerberich, the chief information officer (CIO) and director of Learning and Technology Services (LTS), to the student body.
“My team and I are seeing an increase in identity-theft related incidents happening to students on campus. It is becoming increasingly important for everyone who uses a phone, a computer or social media to take some critical steps to keep your information secure,” Gerberich said in the email.
Gerberich’s email did not explicitly mention the security breach at AudienceView. Crickette said removing AudienceView from the message to students was intentional in order to comply with state statutes.
Crickette said Wisconsin Statute 134.98(2) states the responsibility of notification for a breach of personal information falls on the entity that maintains the information, and in this case, that entity is AudienceView.
“We also responded to AudienceView’s disclosure of the security breach and fulfilled our obligation to respect impacted individuals in the campus community,” Crickette said. “We ensured that AudienceView was responding appropriately, so we have an incident command process. We were meeting multiple times every day and really pressing to make sure AudienceView was responding appropriately and accordingly.”
Crickette said Wisconsin statutes do not give the university the ability to remedy on behalf of AudienceView, or other vendors, when there is unauthorized acquisition of personal information.
“This is a highly regulated area and there are very specific legal actions that vendors have to take and that depending on the entity, the degree of responsibility,” Crickette said. “We were fortunate that we have a good team here and we did instant command, and we were also able to get support from the UW System, both from their IT department and legal department on our actions that we took.”
The Spectator reached out to Casey Thomas, AudienceView’s public relations specialist, for a statement on the security breach.
“In mid-February, certain individuals’ information may have been subject to unauthorized access and acquisition. In response, we moved quickly to remove the identified malware from our Campus product and reviewed the potentially impacted data. All potentially impacted parties have been contacted and offered credit monitoring and identity protection services for 12 months, free of charge. A full investigation has been performed by third-party cybersecurity experts, Mandiant, and AudienceView has implemented additional security measures to further protect against similar incidents occurring in the future,” Thomas said.