For many Cornell students, attending ticketed events such as concerts and sporting events can be a source of joy and stress relief during taxing moments of the semester. In late February, though, AudienceView, the third-party ticketing vendor the University uses, experienced a breach of student personal information.
The breach put a damper on the enjoyment of events for many affected students.
“It was 10 minutes before my physics prelim, and I saw charges up to $5,000 on my card after I checked my balance. I immediately panicked and could not do much about it until after my prelim exam,” said S.C. ’24, a student in the College of Agriculture and Life Sciences who wished to remain anonymous due to an ongoing case with the police.
S.C. had previously purchased tickets to the Cornell Fashion Collective fashion show to support a friend.
Ella Bormet ’24 noticed recent card fraud after a series of charges that she had not made, only one of which has already been reimbursed by her bank.
“I didn’t really think anything of it,” Bormet said. “Two days later, my mom texted me and said, ‘I didn’t know you sent your Uno cards to our house. Can I mail them to you?’ It was really funny. I [said] ‘What? I didn’t order that.’ … So that’s kind of how I actually found out.”
For some, the matter felt more serious, as the victims have no control over the dispute and investigation process.
S.C. said they experienced four fraudulent charges in total on their debit card, with two as purchases at OfficeDepot and two sending almost $4,000 to a random recipient.
“There is no guarantee that I will get my money back after my dispute,” S.C. said. “Additionally, the investigation will take more than 30 days, which is outright ridiculous for something I had no control of, and this is the case for many students right now.”
In an email sent to some Cornell students who had previously purchased tickets through their platform, AudienceView alerted students to the possibility of a data breach.
“On Feb. 21, AudienceView discovered suspicious activity within our Campus product which is embedded into the website of Cornell Big Red Ticket. We immediately initiated an investigation into the nature and scope of the event and determined that our Campus product was impacted with malware,” the company wrote in the email. “The investigation determined that between Feb. 17, and Feb. 21, certain individuals’ information may have been subject to unauthorized access and acquisition. In response, we moved quickly to remove the malware from our Campus product and reviewed the potentially impacted data in order to identify what information is contained therein and to whom that information relates.”
Bormet said she did not receive such an email.
Personal information such as student names, billing and shipping addresses, email addresses and payment information may have been affected, according to the company.
In an email to The Sun, Samantha Park, assistant director of Athletics, Ticketing and Camps at the University, wrote that AudienceView has since suspended all sales on their platform due to further attempted security breaches of its platform.
“Sales via our site will remain unavailable while AudienceView conducts an investigation,” Park wrote. “[On Wednesday,] our office will be releasing information on securing admission for this weekend’s men’s basketball game.”
Cornell is not the only university currently experiencing this issue. Virginia Tech, SUNY Oswego, Middlebury College and Kent State University are among the other colleges where student information was recently breached through use of AudienceView’s third-party ticketing service.
S.C. said the incident has threatened their sense of security.
“I’m basically without a card right now,” S.C. said, “but I feel unsafe using my card and account info until the investigation is over.”