The online ticketing company Eventbrite warned customers Thursday to monitor their email accounts for suspicious messages after two company iPads storing sensitive customer data were stolen from an employee.
In a letter emailed to customers and posted on the company's blog, Eventbrite CEO Kevin Hartz said the iPads were stolen from an employee on Sept 20. The data stored on the devices included names and email addresses of customers who bought tickets online to one customer event, Hartz said. The lost data also included full credit card numbers for 28 attendees who purchased tickets at the event. Those credit card numbers were not encrypted due to a bug in the company’s iPad application, he said.
As Eventbrite tried to determine what other information may have been stored on the stolen iPads, the company remotely locked the devices and erased the data, Hartz said. The letter noted that the company believed the risk for criminal misuse was low, but it asked customers to watch their email accounts for suspicious messages and to avoid sharing financial or sensitive information over email.
"Please note that Eventbrite will never ask for passwords or credit card numbers over email," Hartz said.
To prevent this from happening in the future, Hartz said that the company had updated its iPad application, Eventbrite At The Door, to encrypt email addresses collected at events and that the company would no longer store email addresses collected from online orders on mobile devices.
"We know that having your personal data compromised is a violation of the trust you place in Eventbrite, and we offer you our deepest apologies," Hartz said.
Eventbrite, a ticketing startup with 144 employees based in San Francisco, helps event organizers to create web pages, issue tickets and promote their events online. Founded in 2006, the company has typically catered to smaller events, but has expanded its ambitions recently in an effort to take business from industry giant Ticketmaster. In March, Eventbrite announced it had raised $50 million in venture capital and expects to earn more than $400 million in sales this year, almost double its revenue from last year.
The theft of the iPads highlights the security risks that companies face as they increasingly use mobile devices to run their businesses. In a survey of 1,500 businesses in 14 countries, released in May by the security firm McAfee and Carnegie Mellon University, 40 percent said their mobile devices have been lost or stolen, half of which stored company data.
Security experts say customers whose names and email addresses are exposed through data breaches are vulnerable to "spear phishing," or targeted attacks by hackers who send personalized emails apparently from trusted companies seeking to trick users into revealing personal data or downloading malicious software.
According to the FBI's cybercrime division, Internet users can take several measures to avoid becoming a spear-phishing victim:
- Keep in mind that most companies, banks, agencies, etc., don't request personal information via e-mail. If in doubt, give them a call (but don't use the phone number contained in the e-mail -- that's usually phony as well).
- Use a phishing filter ... many of the latest web browsers have them built in or offer them as plug-ins.
- Never follow a link to a secure site from an e-mail -- always enter the URL manually.
- Don't be fooled (especially today) by the latest scams. Visit the Internet Crime Complaint Center (IC3) and "LooksTooGoodToBeTrue" websites for tips and information.