June 4, 2023
Ithaca, NY | 52°F


Students’ bank accounts hacked because of ticketing software breach

Almost a month after attending a concert at Cornell University featuring Beach Bunny — a popular alternative rock band — on Jan. 28, several Ithaca College students’ credit and debit card information was breached and varying amounts of money were stolen. 

On Feb. 24, Information Technology at Cornell University released a security alert informing students that Cornell’s ticketing software partner and vendor, AudienceView, experienced a platform breach that affected ticket buyers beginning in February and some buyers are still losing money because of the breach.

In addition to Cornell and Ithaca College, other colleges and universities like Virginia Tech University, SUNY Oswego, Colorado State University, Loyola University Chicago and McMaster University in Canada were also impacted. 

According to the alert, in Ithaca, it specifically impacted people who had purchased tickets for shows and events organized by the Cornell Concert Series, Cornell Athletics, Cornell Tickets and the Schwartz Center for the Performing Arts. The concert featuring Beach Bunny was organized by the Cornell Concert Commission. According to the Ithaca College School of Music, Theatre, and Dance website, the college uses Tessitura for ticket sales and management. 

Cornell University senior Jennifer Muson, executive director of the Cornell Concert Commission, said several student clubs and organizations at the university are funded through the Student Activity Fee that all students are required to pay in order to fund student organizations. Muson said that since the Cornell Concert Commission has a large budget, these funds are managed by the Cornell Student Assembly, the university’s student governance body. Muson also said the commission is byline funded, which means that the Cornell SA determines what percentage of each student’s SAF goes to Cornell Concert Commission’s funds, which means that the commission has a fixed budget.

However, Muson said via email that the Cornell Concert Commission often goes over its budget and uses the funds it collects from ticket sales to make up for going over. Muson said this requires the Cornell Concert Commission to use AudienceView as a platform for ticket sales because AudienceView works with Cornell staff through a process that ensures that funds collected via ticket sales are deposited in the Cornell Concert Commission’s financial account, which Muson does not have access to because she is a student. 

“Since we get our funding through Cornell, that’s kind of what we’re limited to use, even though … our events are open to the public, it’s just what’s mandated,” Muson said. “It’s pretty upsetting that people who came to our concert or are dealing with this, I’m sad to hear that.”

First-year Ithaca College student Madison Schriver said she attended the concert and lost $60 from the AudienceView breach. She said she was disappointed to learn that students’ personal financial information was compromised. Schriver said she is hesitant to go to another concert that uses AudienceView as a ticketing vendor. 

“It’s kind of upsetting to know that it was specifically targeted to college students, and not just, like, people in general,” Schriver said. “Because I feel like a lot of college students face financial struggles or it’s just something that we think about a lot with just the price of college. So it’s kind of surprising and upsetting to realize [that] someone knew their target audience and still did that.”

Muson said she hopes to find an alternative ticketing vendor platform and software based on her experience with AudienceView, to prevent similar situations in the future.

“I haven’t gotten [communication or personal assistance from AudienceView],” Muson said. “That’s also maybe a bit questionable on the part of AudienceView and another reason to kind of move away from that platform. But I have an administrative account on that platform and I still didn’t get any kind of confirmation beyond the higher-ups at Cornell telling me that it’s OK now.”

Muson said she thinks the security breach on AudienceView’s end was irresponsible.

“I think that they have a huge responsibility hosting ticket sales for university students,” Muson said. “It’s not a demographic that typically has a lot of financial security and freedom. … When you don’t have a lot of money in your bank account … and you don’t have the full weight of a bank or lawyer on your side, it’s a very vulnerable population to this kind of security breach.”

Muson said that 1,184 people bought tickets to the Beach Bunny concert and that she has met five people who lost money. At least eight Ithaca College students have reported having lost their money as well, based on anecdotal reports. Some Reddit users who are Cornell students have claimed to lose over $1,000. 

“It seems like not everyone is dealing with this, but a lot of people still are,” Muson said. 

“Even though the breach has been dealt with, a lot of people’s information is still compromised from that [and] hasn’t been used yet.” 

First-year Ithaca College student Gaby Robino lost a total of $324 in three charges of $108 each after she bought tickets to an ice hockey game at Cornell University in February. 

“I was assuming that this was a stable way to do it because … [AudienceView] is something that’s used nationwide, it seems secure,” Robino said. “So, it is annoying that things that seem trustworthy, it never really is in this modern era where technology is at such a high level, but so are the people that can steal [information].”

While Schriver has been refunded the money she lost, Robino is working with her bank and will receive her refund deposit soon. 

Casey Thomas ’13, public relations specialist at AudienceView, said via email that efforts have been made by the company to ensure that stakeholders’ privacy is not compromised in the future. Thomas said AudienceView is working with Mandiant, a company that specializes in cyber threat investigations and security, to prevent breaches in the future. 

“In response [to the breach], we moved quickly to remove the identified malware from our campus product and reviewed the potentially impacted data,” Thomas said. “All potentially impacted parties have been contacted and offered credit monitoring and identity protection services for 12 months, free of charge.”

David Weil, chief information officer in the Ithaca College Department of Information Technology, said all higher education institutions need to use platforms like AudienceView to organize events, but both the organizers and the customers must responsibly deal with data.

Weil said that to avoid having credit or debit card information stolen, individuals should keep the following things in mind: putting fraud alerts on cards, checking bank statements regularly, contacting banks if something does not seem right and ensuring that they input sensitive financial information online only in a secure and encrypted website. 

“All colleges and universities and organizations need to rely on partners to provide some of the services,” Weil said. “As part of those partner arrangements, the institution does its due diligence and ensures to the best of its ability that there’s certain controls and security measures in place. And I’m sure Cornell did that … but at the end of the day, we’re relying on this other company to have secure policies and processes … as individuals, we’re going to utilize these services. And so the way we protect ourselves is through our due diligence.”