A forensic investigation led by Ernst & Young found instances of credit card theft at several USC Hospitality venues over at least a one-month period, according to an email from Dan Stimmler, associate senior vice president of auxiliary services. Credit card numbers were obtained because of a breach in third-party software that the university installed three years ago, Stimmler said to the Daily Trojan.
Though credit card numbers were stolen, no personal information was compromised, the email said.
The university received its first reported theft June 20 and contracted Ernst & Young the following day to gather more details, investigate who might be responsible and look into ways to prevent a future security breach, Stimmler said. According to the email, the investigation has found that the thefts began on May 21 — or possibly earlier — and ended June 21 after USC Auxiliary Services discovered the breach and shut down the system.
The affected hospitality venues include the Ronald Tutor Campus Center, Seeds, The Lab and the Starbucks on the Health Sciences Campus.
Celine Lam, a senior majoring in cinematic arts and a writer for the Daily Trojan, discovered her credit card number had been stolen when her bank emailed her early this morning to inform her that someone in Northern Florida had charged about $2 to her card. Lam, who saw signs Tuesday that said the credit card software at the campus center had been disabled, said the university should have told her of the situation earlier.
“The notices up around the food areas only said the system was down, however. I personally would have liked to have been informed by USC as soon as possible if they’d been looking into this situation for over a week,” Lam said in an email.
The email advised faculty, staff, students and visitors to check their credit card statements over the past few months and report any irregularities to their credit card company.
“If you recently used your credit card at a USC dining facility, we recommend that you check carefully all credit card statements that you receive over the next several months, and as a precautionary measure, that you also check statements for the past several months for any unusual charges,” Stimmler said in the email.
Stimmler said he does not have an exact number of how many individuals were affected by the thefts. But since the breach occurred after commencement, a time when many students and faculty are off campus, he expects the number to be smaller. Though the university is notifying impacted students, faculty and staff, university officials cannot contact everyone who was affected because of privacy issues.
“We are unable to notify all potentially impacted individuals directly because the names of the credit card holders are known only to the banks that issued the credit cards,” Stimmler said in the email. “For privacy reasons, the issuing banks will not share names and contact information of the credit card holders.”
The Department of Public Safety is investigating the incident independently, Stimmler said.
No USCard information was compromised during the incident, the email said.
Stimmler said that, for now, the university will continue to use the same software, but with new security standards. Stimmler also said that looking for a new long-term software partner is a possibility.