Vendini breach update
As I’ve noted before, the Vendini breach, reported previously on this blog, appears to fairly large, but has generally flown under national mainstream media attention. Instead, I see bits and pieces in local media or on organizations’ web sites as entities report that their patrons or members were affected (cf, reports involving Purple Rose Theatre, Baldwin Theatre, Stagecrafters, The Farmington Players , Lexington Children’s Theatre, Caterpillar Visitors Center, Touchstone Theatre, Cedar Crest College, Lehigh Valley Charter High School for the Arts , Valdosta State University, East Central College (notice), Ashville Community Theatre, St. Louis Classical Guitar Society, Winchester Little Theatre, Thalian Hall, Butler University, Wildey Theatre, Pacific Aviation Museum, The Arts & Science Center for Southeast Arkansas, Wartburg College, Oregon University System (Southern Oregon University Foundation, Western Oregon University, and Oregon State University), The Friends of Chamber of Music (cached), , and University of Michigan). And there are undoubtedly more that are not listed above.
Vendini’s reports to New Hampshire and California are available online, but I recently sent a FOI request to North Carolina, which requires entities to report breaches to the state.
In response, they sent me the breach notifications they’ve received so far, which I am uploading here:
Butler University – 411 affected
Asheville Community Theatre – approximately 20,000 North Carolina residents affected
Kirby Cultural Arts Complex – 147 affected
Central Piedmont Community College – approximately 12,000 affected
South Orange Performing Arts Center – 6,619 affected (Note: this breach was also reported to New Hampshire)
Thalian (part 1), part 2 – 6,000 affected
Why Vendini is allowing this to dribble out instead of just being more upfront about the numbers involved escapes me. But significantly, a number of their clients were unpleasantly surprised to discover that their contracts with Vendini did not require Vendini to make the patron notifications and that it was on them to do so. This serves as a useful reminder to check your contracts to ensure that if a vendor or contractors has a breach, they are responsible for notifying your customers or paying for you to do so.
Update to the update: I’ll just add other organizations as I come across them:
Xerox Rochester International Jazz Festival
Spirit Mountain (cached)
Berklee College of Music