The Shubert Organization – one of the largest operations in theatre both on and beyond Broadway – has suffered a data breach, including customer email addresses, names, and credit card numbers and expiration dates.
Shubert is the owner and operator of 17 Broadway theaters and six off-Broadway venues, as well as a ticketing service Shubert Ticket.
The breach took place between Feb. 8 and 11, and was discovered on Feb. 11. Shubert’s letter states that a subsequent investigation was unable to determine the full “scope of the information that was accessed,” or whether the intruder actually accessed the customers’ information.
At this time, it is unclear whether this is a limited-scale data breach involving a handful of accounts, or a wider breach that could affect the organization’s foundation or ticketing operations – which includes ownership of Telecharge as well as secondary market operations like Entertainment Benefits Group.
An email request for details on the breach sent to a media relations executive for the company Tuesday morning has not yet received a response.
Affected customers have been contacted via a letter providing notice of the breach, one of which was forwarded to TicketNews. The letter detailed what Shubert knows regarding the data breach, and that it is providing 24 months of credit monitoring services through TransUnion Interactive system. It also included information on “Steps You Can Take Protection against Identity Theft and Fraud.”
Per the letter, the company became aware of “unusual activity related to an employee’s email account” on or about February 11 of this year. An investigation revealed “unauthorized access to some employees’ email accounts” that took place between February 8 and 11 prior to it being detected.
“While the investigation was unable to confirm the scope of the information that was accessed within the affected email accounts, Shubert is notifying you in an abundance of caution because we have confirmed that your information was present in the affected email accounts.”
For whatever number of consumers the breach could affect, the letter indicates that their investigation concluded in mid-March that “information present in the affected email accounts includes your name, credit card number and credit card expiration date.”
In response to the incident, the company said it contacted state regulators at the attorney general’s office, is offering exposed customers 24 months of free credit monitoring services, and continues to update security measures and training.