Dozens of universities affected by campus ticketing software cyberattack

Students at dozens of the biggest universities and colleges in the U.S. and Canada have been affected by a cyberattack targeting an online ticketing platform.

A spokesperson for the platform — AudienceView — told Recorded Future News that it suffered a cyberattack in mid-February that only affected customers using its Campus product which is used for athletics, performing arts and student life ticketing.

“In mid-February, certain individuals’ information may have been subject to unauthorized access and acquisition. In response, we moved quickly to remove the identified malware from our Campus product and reviewed the potentially impacted data,” the spokesperson said.

“All potentially impacted parties have been contacted and offered credit monitoring and identity protection services for 12 months, free of charge. A full investigation has been performed by third-party cybersecurity experts, Mandiant, and AudienceView has implemented additional security measures to further protect against similar incidents occurring in the future.”

The spokesperson declined to answer several other questions about parts of that statement, including the implication that malware was involved. When asked how many schools were affected and how many students received breach notification letters, the spokesperson declined to answer.

On Thursday, AudienceView submitted documents to the office of the Attorney General of Maine indicating that 13,045 people were affected by the cyberattack. In letters sent to victims, the company notes that it contacted federal law enforcement about the incident and is still investigating what happened.

It is unclear whether the company was simply hacked or if malware was injected into the AudienceView platform, allowing hackers to steal payment information from thousands of people.

University of California, Santa Cruz said in an update that it was informed of “a data breach that impacts the ticketing platform's national customer base.”

“On the morning of Tuesday, Feb. 21, 2023, AudienceView discovered that their product was impacted by a malware, which resulted in exfiltration of end consumers’ credit card information. When the incident was discovered, AudienceView took immediate steps to remove the malware and implement additional security measures to help safeguard against any unauthorized activity,” the school told students.

“An investigation into the matter revealed that information breached from AudienceView’s system includes personal credit card payment information.”

Aurora Higher Education Center said credit card numbers, expiration dates and CVV numbers were included in the breach.

On its website, AudienceView says schools like Johns Hopkins University, Cornell University, American University and Eastern Illinois University use the Campus product.

Multiple schools – like MIT, Virginia Tech University, Pomona College, SUNY Oswego, Colorado State University, Loyola University Chicago, Virginia Tech and McMaster University – released advisories about the cyberattack.

Your security breach wasn’t important enough for updates???? ZERO updates like it never happened? Take a look around to see the continued impact on customers. “We apologize for the inconvenience” really doesn’t capture the scope of what happened!

— NetBern (@Netbern) March 10, 2023

The Ithacan reported this week that several Ithaca College students had money stolen from their accounts after their credit and debit card information was involved in the AudienceView breach.

Cornell released a statement last month saying it was told by AudienceView that any student who purchased tickets between February 17-21 from Cornell Athletics, Cornell Tickets, Schwartz Center or Cornell Concert Series may have had their payment information leaked.

All of the other school advisories spotlighted the same time frame – February 17-21 – and warned students about fraudulent charges on their cards.

Several Cornell students told The Ithacan that they lost between $60 and $400 but on social media, some reported losing more than $1,000. Some students who used their parents’ cards to pay for tickets said they got calls about fraudulent charges.

A law firm investigating the incident said some customers experienced fraudulent credit card charges while others were “defrauded by individuals posing as representatives from their banking institutions who tricked victims into providing confidential information such as PIN and Social Security numbers.”

The law firm said at least 25 schools have reported being affected by the incident.

Updated (3/31/2023 at 12:15pm) with details about the company's filing with the Attorney General of Maine.