C3 Presents promoters may have suffered data breach
Friday, August 15, 2014 by Michael Kanin
C3 Presents, the Austin-based music promotions firm behind such festivals as Austin City Limits and Lollapalooza, has apparently suffered a security breach. The details were cited in a letter sent to potential victims of the violation, including an Austin Monitor reporter.
The document states that “on current information and belief, no festival or concert customer information was exposed.”
However, the letter adds that “an unknown unauthorized person gained access” to one of C3’s servers after “its theft … on Friday, June 20, 2014.”
The letter, which has a C3 Presents logo at the top, suggests the data compromise may be limited to “C3’s present and former employees, independent contractors, and other such parties.” That information, it reads, could include “names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s licenses, government IDs, band routing information, credit/debit card information and passwords, position and salary pay information of C3 present and former employees and independent contractors.”
The statement is careful to note that not all of the included information “will be applicable to everyone receiving this notice.” It is signed by C3 Human Resources Director Laura Wood. Wood did not return a call requesting comment.
The Monitor has been in contact with two other C3 representatives, Festival Marketing Manager Lindsay Hoffman and publicist Sandee Fenton of Fresh and Clean Media, via email. Hoffman referred questions (“all press requests,” as she put it) to Fenton. Fenton did not respond. She was copied into the email string by Hoffman.
In the letter, the company notes that it took “immediate and significant steps to prevent a recurrence of this possible breach of security.” It lists improvements such as “stepping up encryption and purging of old data, and increasing physical security around server equipment.” The letter includes an offer for the company to “pay for one year’s enrollment in CSID’s Breach Protector identity protection coverage at no cost” to potential victims.
Further, the company suggests that the letter, delivered Aug. 13 to at least one Austin resident, was “sent at the earliest time reasonably possible upon compilation of individuals whose information may have been compromised.”
The implication that hard equipment was stolen suggests the theft may not be part of any broader data breach. In early August, for example, a number of news sources reported that a group of Russian hackers had collected 1.2 billion online passwords. In its coverage of the incident, The New York Times, citing another widely publicized breach — the theft of 40 million credit card numbers and even more addresses from big-box retailer Target — reported that “there is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle.”
You're a community leader
And we’re honored you look to us for serious, in-depth news. You know a strong community needs local and dedicated watchdog reporting. We’re here for you and that won’t change. Now will you take the powerful next step and support our nonprofit news organization?