Ticketmaster Blames Third Party Over Data Breach
29.6.18 securityweek Incindent
Ticketmaster UK has had thousands of personal customer information compromised. This may include name, address, email address, telephone number, payment details and Ticketmaster login details, the company said.
How many accounts have been compromised has not been specified, although the company says in a statement, "Less than 5% of our global customer base has been affected by this incident;" adding, "Customers in North America have not been affected."
Details of the hack have not yet been disclosed other than it involved 'an unknown third-party'. The statement says that it identified malicious software on a support product hosted by Inbenta Technologies (part of Ticketmaster's supply chain). It did this on Saturday, June 23, and immediately 'disabled the Inbenta product across all Ticketmaster websites."
Ticketmaster clearly feels that Inbenta is at fault. Inbenta takes a slightly different view. In its own statement, CEO Jordi Torras, writes, "it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements." The attackers located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 18.
But Torras adds, "Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability." In other words, it is Ticketmaster that is at fault.
James Romer, chief security architect at SecureAuth + Core Security, explains, "a customer service chatbot was compromised by malware and exported UK customers' data to an unknown third-party." In fact, the breach could extend to other nations. While Ticketmaster says, "we understand that only certain UK customers" are affected, it also says it is notifying all Ticketmaster International customers (outside of the U.S.) that they need to reset their passwords.
Ticketmaster has further concerns to consider. According to Monzo -- an online-only bank based in East London -- it warned Ticketmaster about a potential breach in early April. Monzo had detected fraudulent card activity that seemed to point to a Ticketmaster common factor. In a blog posted Thursday by Natasha Vernier, Monzo's head of financial crime, she explains that the bank reached out to Ticketmaster, and on 12 April, "members of the Ticketmaster security team visited the Monzo office so we could share the information we'd gathered. They told us they'd investigate internally."
Within a week, Monzo was sufficiently concerned and certain that it shared its information with the U.S. Secret Service, and started to proactively replace every Monzo customer card that had been used at Ticketmaster (about 6000).
One week after its security team visited Monzo's offices, Ticketmaster informed Monzo that it had found no evidence of a breach and that no other banks were reporting similar patterns. The breach wasn't actually found until some ten weeks after Monzo first raised its concerns.
"There are going to be a few eyebrows raised this morning about this breach and when Ticketmaster really discovered it," comments Tony Pepper, CEO and co-founder at Egress. Clearly data was at risk for some time, and apparently Ticketmaster had been alerted to the issue but didn't heed those warnings. It is going to be interesting to see how the ICO reacts when they get to the bottom of this, given the emphasis now placed on data breach reporting and reflected in the changes made under the GDPR."
This was a supply chain attack that took a long time to detect even when the company was told it had been breached. Supply chain attacks are increasing. "It's not uncommon for companies to be breached via a third-party supplier, which is why it's important to carefully consider who to work with and what security protocols they have in place," comments Andrew Bushby, UK director at Fidelis Cybersecurity.
It's worth noting that that the UK government's new Minimum Cyber Security Standard for government departments actually specifies that the supply chain should be required to meet the UK's Cyber Essentials level 6.
Joseph Carson wonders whether artificial intelligence will become embroiled in the case. "Many companies are using chat bots to help automate their customer experiences, having been lured into fancy buzzwords like machine learning, artificial intelligence and virtual assistance," he notes. While the theft of personal details, financial information and passwords means these are now available on the darknet for cybercriminals to abuse, he wonders what else might have been stolen. "It will be interesting to learn," he suggests, "whether the cybercriminals also accessed the artificial intelligence information that could be used for a more targeted type of attack."
The danger to victims of this breach is primarily twofold: fraudulent use of the stolen payment details, and more calculated identity theft. "The fact that payment card information has been caught up in this breach is hugely concerning," comments Brooks Wallace, Head of EMEA for Trusted Knight. "In cases like this, details often end up for sale on the dark web, rather than in the hands of the original hackers themselves, and then end up being used for fraudulent transactions and in some cases identity theft.
"When used to make transactions, fraudsters often start by testing small transactions here to make sure it works and then ramp up to bigger purchases. Anyone who thinks they may have been caught up in this breach needs to keep a very careful eye on their bank accounts and potentially should contact their bank to change their cards." In reality, any customer of Ticketmaster, whether a victim of this breach or not, will need to be wary of the inevitable opportunistic phishing emails that follow any such breach.
One aspect of this breach will only become clear over time: how will the European data protection regulators react in relation to the General Data Protection Regulation. It's a moot point since the actual breach occurred prior to the activation of GDPR, although internal recognition and victim notification both occurred within GDPR. The UK's ICO will probably treat the case similar to the Dixons Carphone breach: "It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 18 Data Protection Acts."