This week I got the following message:
May 23, 2013
We regret to inform you that on April 25, 2013, Vendini, Inc. detected an unauthorized intrusion into its systems. Vendini provides box-office and online ticketing services to hundreds of entertainment venues, which include tour, casino, sports, and arts organizations across the U.S. and Canada. Based on our records, you used a credit card to make a purchase for an event that was processed through Vendinis service, and your information may have been involved in this incident.
We are actively cooperating with federal law enforcement, and this notification to you was delayed specifically to support law enforcements investigation. In addition, a full-scale, internal investigation is under way at Vendini with outside computer forensic and cyber security experts. Although our internal investigation is ongoing, we believe that in late March, a third-party criminal actor used hacking technologies to access our databases and may have accessed your personal information, such as name, mailing address, email address, phone number, and credit card numbers and expiration dates. We do not collect credit card security access codes (e.g., CVV, CVV2, PINs), social security numbers, usernames or passwords.
It seems to me that taking a month to notify users of a security breach is really bad practice—it was unlikely to provide any extra forensic information, and left customers vulnerable for a really long time. In fact, I think that they were also slow to recognize the breach (which they now think happened in March). Amazon had notified me days earlier of an apparent identity theft:
Apr 19Greetings from Amazon.com.
We perform routine reviews of orders to protect our customers. During one of these reviews we discovered that an account was opened with a card used by you on another account. For your reference the card in question is a VISA.
As it appears the card was used without your authorization, we have closed this new account and cancelled any outstanding orders. If the account is indeed yours, we apologize for any inconvenience caused and ask that you notify us as soon as possible by replying to this message.
If the card was used without your authorization, we recommend you cancel the card immediately by contacting the financial institution that issued the card.
You should review all recent charges made to this card, reporting any unauthorized charges to your financial institution. The financial institution, in turn, will send you forms to formally dispute the unauthorized charges, the applicable merchants will be notified and charged back, and your account subsequently credited.
Although we are not permitted to provide you with any details about the unauthorized use, we will provide this information to any law enforcement agency investigating this matter.