Thales Blog

Vendini Data Breach – An Ounce Of Prevention

June 25, 2013

Tina Stewart Tina Stewart | VP, Global Market Strategy More About This Author >

Vendini Data BreachBox office and online ticketing provider Vendini found its name in the media due to a database breach that occurred back in March. The company learned that the personal information of its members' consumer-patrons — including names, mailing addresses, email addresses, phone numbers, credit card numbers and expiration dates — may have been compromised by a third-party criminal actor. While Vendini does not the collect credit card security access code information (e.g., CVV, CVV2, PINs) typically needed to complete credit card transactions and early forensics indicate that usernames and passwords weren't accessed during this breach, they incident is likely to have a negative impact on Vendini's brand reputation.

Interestingly, since fall out from the data breaches continue to make headlines, brand reputation is no longer just a marketing issue, but an IT imperative as well. Several weeks ago, I blogged about a survey Vormetric put out this spring, Protect What Matters – Data Security, in which we learned that adopting security best practices as a means of protecting the brand has become a pressing boardroom issue.

Vendini is the leader in cloud-based event ticketing and logistics software. Thousands of organizations utilize Vendini's solutions for event promotion, ticket sales, box office management and event. These include high school, college and university programs, PGA golf tournaments and NASCAR racing, so the impact of this database breach could be both large and far-reaching. To get a sense of the magnitude, let's look at just one customer, the University of Michigan. Officials there have contacted "over 33,000 customers" who bought tickets at the Michigan Union Ticket Office in the last two years to let them know their personal information may have been compromised. Vendini is urging "everyone who bought tickets from the box office anytime between September 2011 and April 2013" to double-check their bank statements. Not great for Vendini's brand reputation, or U of M's, for that matter.

The sad thing is, this unpleasant situation could have been avoided entirely had Vendini encrypted the databases that were breached. Given that perimeter security is failing, encrypting sensitive data in databases is no longer an option – it’s vital for risk management. Escalating Advanced Persistent Threats (APTs) and data breaches, growing global compliance requirements, accelerating cloud adoption, and the proliferation of Big Data are driving organizations in every industry to seek data-level encryption and access controls. It's becoming obvious that the best way to safeguard against breaches like this one is to take a layered "inside out" security approach, creating a “data firewall,” implementing access policies with fine-grained controls, deploying advanced encryption, key management and vaulting technologies to lock down and change the state of sensitive data, and continuously gathering security intelligence to identify emerging issues in real-time.

At Vormetric, we make it easy to companies like Vendini to protect what matters by offering a heterogeneous, transparent, high-performance data encryption solution that has strong separation of duties and centralized key management. In Vendini's case, all indications are that a malicious outsider perpetrated the breach, which is why taking a data-centric security approach is becoming increasingly important. It’s not a coincidence that a whopping 40% of our survey respondents said they are investing in server encryption.

Organizations must come realize that privileged users present an enormous insider threat to sensitive data as well, as evidenced by Edward Snowden's recent activities. Cyber attacks are getting more sophisticated by the day, and it's clear to everyone that data is the new currency. When it comes to securing your sensitive data, an ounce of prevention turns out to be worth far more than a pound of cure.

Regardless of whether you view Edward Snowden as a traitor or a whistle blower, what do you think of root separation of duties as a mean to keep sensitive data protected?