Security breach at campus event ticketing vendor AudienceView
UW-Eau Claire responds in compliance to state statutes, but students want more
UW-Eau Claire’s event ticketing vendor, AudienceView, experienced a security breach from Feb. 14 to Feb. 28, affecting students, faculty and community members who bought tickets to attend university events.
Grace Crickette, vice chancellor for finance and administration, said UW-Eau Claire has been using AudienceView’s Campus product for event ticketing since the contract started with the company on June 11, 2020, and the university has not been notified of other security breaches with this product in the past.
Crickette said UW-Eau Claire was notified by AudienceView on Feb. 22 that a security incident had occurred, and then on Feb. 23, AudienceView began disclosing to university clients that there had been a security breach with the Campus product.
“As a UW-Eau Claire vendor, AudienceView assumed a legal and contractual responsibility to secure the personal information of its users,” Crickette said. “After the breach, AudienceView communicated to UW-Eau Claire, and other universities, about the breach as required by their contractual agreement.”
The university was informed by AudienceView that 255 people who had purchased tickets for UW-Eau Claire events had potentially been impacted by the security breach, Crickette said. The university was able to identify that 54 out of the 255 people were students, faculty and staff because they had used university-affiliated emails when purchasing tickets.
In a letter sent on March 28 to ticket buyers potentially impacted by the security breach, AudienceView identified Feb. 14 through Feb. 28 as the time of the incident and that the buyers’ name, billing address, shipping address, email address and payment information could have been compromised.
The letter from AudienceView also included ways for ticket buyers to protect their personal information, such as credit monitoring and restoration through Cyberscout and contact information for credit reporting bureaus Equifax, Experian and TransUnion.
Crickette said if people receive a letter from AudienceView, they should take advantage of the credit monitoring options, but that most of UW-Eau Claire ticker buyers were not impacted by the security breach.
“Most of our ticket buyers were not impacted. AudienceView corrected the system and we were able to bring the system back up and people were able to continue buying tickets without issue,” Crickette said.
After AudienceView notified potentially impacted ticket buyers, Crickette said Director of Risk Management, Safety and Sustainability Brian Drollinger sent an email to the 255 people assuring them that the letter from AudienceView was legitimate.
“It has come to our attention that you recently received a letter from AudienceView Corporation regarding a security incident that occurred with their product. Even though the university’s network was not involved, we are contacting you so that you know that the letter you received from AudienceView is authentic and you can take advantage of their offer for credit monitoring,” Drollinger said in the email.
On March 9, Academic Affairs sent an email on behalf of Kent Gerberich, the chief information officer (CIO) and director of Learning and Technology Services (LTS), to the student body.
“My team and I are seeing an increase in identity-theft related incidents happening to students on campus. It is becoming increasingly important for everyone who uses a phone, a computer or social media to take some critical steps to keep your information secure,” Gerberich said in the email.
Gerberich’s email included suggestions for keeping personal information secure but did not explicitly mention the security breach at AudienceView. Crickette said discluding AudienceView from the message to students was intentional in order to comply with state statutes governing this area.
Crickette said Wisconsin Statute 134.98(2) states the responsibility of notification for a breach of personal information falls on the entity that maintains the information, and in this case, that entity is AudienceView.
“We also responded to AudienceView’s disclosure of the security breach and fulfilled our obligation to respect impacted individuals in the campus community,” Crickette said. “We ensured that AudienceView was responding appropriately, so we have an incident command process. We were meeting multiple times every day and really pressing to make sure AudienceView was responding appropriately and accordingly.”
Crickette said according to Wisconsin Statute 895.46 and Chapter 437, the university does not have the ability to remedy on behalf of AudienceView, or other vendors, when there is unauthorized acquisition of personal information.
“This is a highly regulated area and there are very specific legal actions that vendors have to take and that depending on the entity, the degree of responsibility,” Crickette said. “We were fortunate that we have a good team here and we did instant command, and we were also able to get support from the UW System, both from their IT department and legal department on our actions that we took.”
The Spectator reached out to Casey Thomas, AudienceView’s public relations specialist, for a statement on the security breach.
“In mid-February, certain individuals’ information may have been subject to unauthorized access and acquisition. In response, we moved quickly to remove the identified malware from our Campus product and reviewed the potentially impacted data. All potentially impacted parties have been contacted and offered credit monitoring and identity protection services for 12 months, free of charge. A full investigation has been performed by third-party cybersecurity experts, Mandiant, and AudienceView has implemented additional security measures to further protect against similar incidents occurring in the future,” Thomas said.
When Student Body Vice President Brett Farmer, a third-year public relations student, became aware of the security breach, he said he thought the Student Senate should get involved.
“I just felt like it was something that senate should take action on because it was something that was directly affecting students,” Farmer said. “Administration hadn’t said anything and a lot of departments and people were aware of it, so I was just kind of confused on why nothing had been said … this is absolutely an issue that regards senate because it regards the student body as a whole.”
Farmer said Student Senators Sam Consiglio and Brenna Strojinc were interested in authoring a resolution calling on UW-Eau Claire to notify students of the security breach and possible fraudulent banking activity, and he encouraged them to pursue the resolution.
Consiglio, a second-year geospatial analysis student, and Strojinc, a second-year English creative writing student, had both experienced fraudulent activity on their bank accounts after purchasing tickets for UW-Eau Claire events.
After buying tickets for Fire Ball and Cabaret, Consiglio said her bank contacted her about a fraudulent charge of around $380 on her bank account. According to Consiglio, her bank was able to stop a second fraudulent charge and she received a complete refund.
Consiglio said she does her banking in her hometown, which is four hours away, and was not able to get a new card for two weeks after the old card was deactivated.
“It’s a major inconvenience to students who are already a little bit broke and don’t have the means to go home,” Consiglio said.
Strojinc said she, along with several of her friends who bought tickets for Fire Ball, had fraudulent charges appear on her bank account.
“We had all gone to an event together and every single one of us had fraudulent activity on our accounts all within a two-week period,” Strojinc said. “All different amounts, all for different things and so I wanted to make students aware that there could be activity on their accounts.”
Strojinc said around $250 worth of fraudulent charges from two transactions appeared on her bank account, but she was able to get a complete refund. If the transactions had been smaller than $100, Strojinc said she would not have been notified by her bank and instead would have noticed the fraudulent activity at a later time.
Strojinc said it also took a while to receive her new card, and one of her friends is still waiting for a new card over a month since the fraudulent activity and has only been able to use cash in the meantime.
“She has had to just pay in cash and she’s running out of cash, which really sucks because she can’t really keep filling up her car with gas and buying groceries when she’s running out of money due to this fraudulent activity,” Strojinc said.
Both Consiglio and Strojinc said they did not receive the email from Drollinger or the letter from AudienceView.
There was an initial meeting with Consiglio and Strojinc, but Farmer said they did not have enough information. Farmer said he contacted the administration after the meeting for more information and to discuss the senate’s options.
Farmer said he met with Crickette and interim Chief Communications Officer Paula Gilbeck, and was told the security breach was a legal issue that couldn’t be addressed directly, but Consiglio and Strojinc had already begun authoring the resolution.
“Our original intention for the piece of legislation was to make sure that students were checking their banking accounts with the increase of fraudulent activity and also past events that’s happened,” Consiglio said. “It’s touched other UW schools and there’s been an increase in fraudulent activity across all the schools.”
Strojinc said the email from Gerberich was the administration’s attempt at notifying the student body to stop her and Consiglio from writing the resolution.
“That was originally an attempt to make the two of us feel better and not write our resolution,” Strojinc said. “And we felt like it was an important thing, but it was a sidestep that didn’t really address the initial issue so we continued with our resolution.”
Resolution 66-R-12, titled “Call for Notification of the AudienceView Data Breach” was put on the agenda for the senate meeting on Monday, March 13, but Consiglio withdrew the resolution before it could be introduced to the senate body.
Strojinc said Crickette had asked them to make changes to resolution 66-R-12 a few hours before it was supposed to be introduced at the meeting.
“I totally supported the resolution, I just asked Brett Farmer and some of the other students to talk about and share with them some of the information security issues that I was seeing and the importance of education and training,” Crickette said.
In addition to her role as vice chancellor, Crickette said she serves on a global information security committee and an information security education committee.
“Part of this is my personal and professional education and ongoing commitment to information security and education,” Crickette said.
Crickette said this is a growing area of risk and she wanted the resolution to address the need for increased information security education and training, rather than focusing on the security breach at AudienceView.
“I gave no edits to the resolution, but I said it would be better if it was broader so that would make this not just about AudienceView but about the whole environment that we’re in as citizens, as consumers with there being breaches on a regular basis for all of the systems that we use in our homes, that we use in our work, that we use in school,” Crickette said.
Based on his meetings with Crickette, Farmer said he thought she was concerned about naming AudienceView in the resolution and claiming that the increased fraudulent activity on students’ bank accounts were a direct result of the security breach.
“She was very uncomfortable, I think, with students just reporting their own situations,” Farmer said. “I think that was a lot of Grace’s qualms. We can’t confirm that because of AudienceView that people’s cards got stolen or hacked and that was kind of the basis of the original resolution.”
The Spectator cannot confirm the extent of the fraudulent activity or determine whether the fraudulent activity that was experienced was a direct result of the security breach with AudienceView’s Campus product.
Consiglio said Crickette had advised them to remove all the references to AudienceView and the security breach.
“When I was rewriting it, to avoid any and all discretions, I just took out any time that we had mentioned that an event had taken place and just replaced that with ‘an increase in fraudulent activity’ just so it was vague but still got our point across,” Consiglio said.
Consiglio said focusing on education was not the original intent of the resolution, but she and Strojinc wanted the student body to still be informed of the fraudulent activity in some capacity.
“Crickette also wanted more of an educational aspect to it, which that part is a little understandable because a lot of the university education stuff is out of date, but that wasn’t the original intent of our resolution,” Consiglio said.
Farmer said Crickette had told him to withdraw resolution 66-R-12.
“She said pull it, it’s illegal and the way that this is worded we can get sued by AudienceView by directly naming them. I think she thought that the clauses were directing that it was their fault and their issue,” Farmer said.
When asked for comment, Crickette said “I did not say that. What I was trying to explain to them was legal liability as a concept. I was explaining to them what can create liability, I don’t think I used the term ‘illegal’ which is different.”
Crickette said she did not tell Farmer to withdraw the first resolution, but had asked if it could be withdrawn for rewrites to be “actionable.”
“It was always just an overarching ‘we can’t it’s illegal’ and ‘just don’t talk about it’ and like we explained several times, it’s not really our job to have the knowledge of what is and isn’t legal in terms of cybersecurity and contracting with outside vendors,” Farmer said. “We just wanted to support more in some kind of statement and she just kept saying ‘it’s illegal so don’t talk about it.’”
When asked for comment, Crickette said “I never said anything about anybody not talking about anything.”
While Farmer was communicating between Crickette and the authors on the revisions, he said he started experiencing fraudulent activity on his credit card after purchasing tickets to Fire Ball and the Viennese Ball.
At the senate meeting on Monday, April 3, Strojinc introduced resolution 66-R-15, titled “Call for Notification and Education of Fraudulent Activity on Students’ Bank Accounts,” a revised version of resolution 66-R-12.
Farmer said Crickette met with him the day of the senate meeting and asked him to withdraw the revisioned resolution. Farmer said he explained to Crickette that he could not withdraw the resolution because he didn’t author it, but would pass her request on to Consiglio and Strojinc.
“I said I’m going to have to ask one or both of the authors to do it because it is now formally on the agenda and they’re the ones that have to make an action like that,” Farmer said. “I don’t think she really understood the timeline of senate meetings and agendas and how that worked.”
When asked for a comment, Crickette said “No, I did not ask him to withdraw it. I let him know that I thought it was awful that there were items written in there that we would not be able to take action on.”
Consiglio said Farmer told her Crickette wanted the revised resolution withdrawn, but she decided to introduce resolution 66-R-15 to the senate anyways.
“I don’t know specifically why it needed to be withdrawn the second time, but at that point, I had figured me and Brenna had already worked on everything that needed to be accomplished for it to be legally brought up to students,” Consiglio said.
Strojinc said Crickette and Senate Program Director Stephanie Pyykola had been sent a copy of the revised resolution on Thursday, March 30 — the deadline for legislation to be included on Monday’s agenda — and that Crickette had time to look it over.
Resolution 66-R-15 says “Be it therefore resolved, the University of Wisconsin-Eau Claire shall notify the student body via email to inform them of possible fraudulent activity on students’ bank accounts and how to keep their banking information safe.
“Be it therefore resolved, the University of Wisconsin-Eau Claire shall provide resources to educate students on how to deal with fraudulent activity on their bank accounts.
“Be it further resolved, the University of Wisconsin-Eau Claire Student Senate shall take necessary action to advocate for students and their protected, private information in the case that the University of Wisconsin-Eau Claire Administration does not inform students within the next one to two weeks upon the passage of this legislation.
“Be it further resolved, if another increase in fraudulent activity were to occur, the Student Senate encourages the University of Wisconsin-Eau Claire to notify the entire student body in a timely manner.”
The senate passed resolution 66-R-15 unanimously with a vote of 28-0-2.
Farmer said that besides the meetings, most of the communication from Crickette was going through him to Consiglio and Strojinc, instead of communicating with them directly.
“I just think Sam and Brenna put a lot of work in. I think they went out of their way to listen to Grace and work and meet with her and accommodate for the things she wanted,” Farmer said. “For Grace to then undermine them and just reach back out to me and said she still wasn’t happy with the resolution and then support it in the end. It’s not the respect I think they deserved for the work they put in for this resolution. That’s kind of shady.”
When asked for comment, Crickette said she was not trying to undermine Consiglio and Strojinc but rather trying to educate students on information security.
“It was not my intent to undermine in any way, it was to educate and inform the students about the issues that are difficult when there is an incident like this,” Crickette said. “I look forward, along with our CIO and legal counsel from (UW) System, to bring more knowledge and education and resources to our students.”
Crickette said legal counsel from the UW System will give a presentation about information security educational resource options at the next senate meeting at 6 p.m. on Monday, April 24, and she and Gerberich will be available to answer the senate’s questions.
The presentation will be recorded, Crickette said, with the intent to be used as a training tool.
Farmer said Crickette had talked with him about the possibility of creating a webpage on the UW-Eau Claire website about information security and technology resources.
“They thought it would be best to just have a page on the UW-Eau Claire website because parents can access it, potential students can access it, opposed to just another training canvas page where you can only access it if you’re a new student or enrolled student,” Farmer said.
Farmer said in addition to presenting their plans for educational resources, Crickette and Gerberich will also be receiving input from the senate.
At the time of publication, UW-Eau Claire has not notified the student body of the AudienceView security breach since resolution 66-R-15 passed, and Consiglio and Strojinc said students still need to be informed.
“I think students should be informed of something happening, just so then there’s transparency and students feel like they can trust each other. It’s part of the university’s job to make sure that all of us are secure and safe,” Consiglio said. “And while it might not have been the university’s fault because it’s a third-party system, they still have the responsibility of informing the students and making sure that students are up to date on knowledge.”
“I feel like it’s the administration’s (or) the university as a whole’s responsibility to look out for the students’ wellbeing, especially because students were involved,” Strojinc said. “It wasn’t the university’s fault, but by not making a statement, I feel like it is their fault in a way that they aren’t opening up and explaining. We were told it was a legality issue, but I feel all students have a right to know what happened and how everything happened.”
Farmer said the email from Gerberich is not enough, but that it was a step in the right direction.
“I guess because there was so much unknown and confusion, what Kent sent out was something and there is more coming now,” Farmer said. “We’ve continued conversations and work and I think that we are taking a step in the right direction.”
Student Body President Rossellin Gaitán, a fourth-year English student, was not involved in authoring or revising the resolutions, but did have fraudulent charges on her account after purchasing tickets for Fire Ball and said she believes the administration should have done more to notify the student body.
Gaitán said she got a fraudulent charge of around $5,000 — the $5,000 charge mentioned in resolution 66-R-12 — but her bank did not accept the purchase because it exceeded her daily limit.
Gaitán put a hold on her card and then got a new card, but said the fraudulent charges continued to occur. Gaitán said she had to close her bank account and create a new bank account to stop the charges from continuing.
“As someone who works two jobs just to be able to pay rent, I cannot afford to be losing hundreds of dollars so I think it’s important for any institution to say it and if there’s an issue that needs to be addressed, you need to just say it plainly,” Gaitán said.
Gaitán said she received a letter from AudienceView, but did not receive the email from Drollinger. Gaitán received internal emails from administration about the security breach, but said that was due to the nature of her position as president, not as an impacted student.
Gaitán said the university wants the student body to be involved and attend events on campus, but students shouldn’t have to deal with fraudulent charges after purchasing tickets.
“We want people to attend events, everyone does. Fire Ball was amazing, it was awesome and I’m really glad I went and I don’t regret it but it’s one other additive thing where it’s like ‘man, now I have to deal with this because this happened,’” Gaitán said.
“Our university strives to get students involved so it’s almost like these students were being punished — not that it was the university’s fault — for being an involved student,” Strojinc said.
Gaitán said administration needs to be transparent with the student body about the security breach.
“I think it’s important to be transparent, especially like I said, that’s student money,” Gaitán said. “If you were somewhat specific about it and you were transparent — as we claim we are — then you would ensure that students’ money, which is what’s paying for this building and every other building on campus, is being kept a top priority.”
While Gaitán said she wasn’t involved, she doesn’t see an issue with notifying the student body of the data breach, and said keeping students in the loop is important so history doesn’t repeat itself.
“There are people who maybe played a larger role in this than others, but overall, it’s definitely a learning lesson and from that it shouldn’t happen again,” Gaitán said. “The people who played a larger role, it’s not to say they’re terrible or not doing their jobs or bad people or whatever it is, it’s just that it can’t happen again.”
“Students know. Students will always find out at the end of the day. We have a funny way of finding stuff out, students will find out so you cannot hide anything from them,” Gaitán said. “Don’t avoid the inevitable and just address it while it happens and everyone stays happy.”
Kasper can be reached at [email protected].
Maddie Kasper is a fourth-year journalism and political science student. This is her sixth semester at The Spectator and second semester as editor in chief. She covered the UW-Eau Claire Student Senate for three consecutive semesters and dreams of being a national political correspondent. She adores poems about oranges, obsessively logging movies on Letterboxd and the Half Price Books on the east side...