A raft of UK customers signed up with concert and sporting events ticketing outlet Ticketmaster have been warned that they could now be at risk of fraud or episodes of identity theft after the global organisation revealed a major data breach that has potentially affected tens of thousands of individuals. Indeed, the BBC reports that 40,000 UK customers might have been impacted by the breach.
On Saturday 23 June, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third party supplier to Ticketmaster. As soon as the malicious software was discovered, the Inbenta product was disabled across all Ticketmaster websites.
According to Ticketmaster, less than 5% of the company’s global customer base has been affected by this incident. Customers in North America have not been affected. However, as a result of Inbenta’s product running on Ticketmaster International websites, some customers’ personal or payment information may have been accessed by an unknown third party. Information which may have been compromised includes name, address, e-mail address, telephone number, payment details and Ticketmaster login details.
Ticketmaster has contacted those customers who may have been affected by the security incident. UK customers who purchased, or attempted to purchase, tickets between February and 23 June this year may be affected as well as those international customers who purchased, or attempted to purchase, tickets between September 2017 and 23 June this year. Inbenta’s product was running on Ticketmaster International, Ticketmaster UK, the GetMeIn! re-sale website and TicketWeb. All potentially affected customers have already been contacted by e-mail.
Ticketmaster recommends that customers monitor their account statements for evidence of fraud or identity theft. If customers are concerned or notice any suspicious activity on their account, they should contact their bank(s) and any credit card companies. As a precautionary measure, all notified customers will need to reset their passwords when they next log into their accounts.
Ticketmaster is offering impacted customers a free 12-month identity monitoring service with a leading provider. There’s a dedicated website (security.ticketmaster.co.uk) offering additional information, while customers can also e-mail: firstname.lastname@example.org for more advice.
The Guardian understands that a number of Ticketmaster customers have already had fraudulent transactions debited from their accounts, with the fraudsters spending people’s cash on money transfer service Xendpay, Uber gift cards and Netflix (among other items).
Ticketmaster states that registered customers who have not received an e-mail are not believed to have been affected by this security incident based on the company’s investigations to date. Forensic teams and security experts are now working around the clock to understand how the data was compromised.
Statement from the ICO
Commenting on the incident, a spokesperson for the Information Commissioner’s Office said: “Organisations have a legal duty to ensure that people’s personal information is held securely. We have been made aware of an issue concerning Ticketmaster and will be making enquiries. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether or not the matter is dealt with under the 1998 or 2018 Data Protection Acts.”
A spokesperson for the National Cyber Security Centre (NCSC) added: “We are aware of a cyber incident affecting Ticketmaster. The NCSC is working with our partners to better understand the data breach. Guidance for Ticketmaster customers has been published on the NCSC’s website. Anyone concerned about the potential for fraud or lost data should contact Action Fraud. We recommend that people are vigilant against any suspicious activity on their bank accounts.”
The National Crime Agency (NCA) is leading the investigation and broader law enforcement response to the cyber incident affecting Ticketmaster. Specialist officers from the NCA’s National Cyber Crime Unit are managing the ongoing investigation and are working with Ticketmaster and its partners to secure evidence, as well as provide mitigation advice and guidance.
Officers are liaising with companies in the UK and overseas, as well as international law enforcement partners, to gain a better understanding of the incident.
Fraudsters often use incidents like this to conduct secondary fraud attacks. The NCA is advising anyone who spots suspicious activity on their bank account to contact their card issuer. If they feel they have been a victim of crime they should contact Action Fraud via www.actionfraud.police.uk
Reaction from the security sector
Adenike Cosgrove, cyber security strategist (EMEA) at Proofpoint, informed Risk Xtra: “The data breach at Ticketmaster marks one of the first major international breaches of EU personal data reported after the General Data Protection Regulation (GDPR) enforcement date of 25 May, making this a case to watch with regard to its consequences. Questions will be asked first and foremost about how sensitive personal data including payment information was shared, unencrypted, with a third party application.”
Cosgrove went on to state: “This breach underscores precisely why enterprise security teams must have clear visibility into the third party applications running within their environments and appropriately secure them as more and more organisations rely on cloud-based solutions to conduct operations worldwide. Best Practice calls for organisations to deploy a Cloud Access Security Broker solution that combines user-specific risk indicators with cross-channel threat intelligence to analyse user behaviour and detect anomalies in third party apps. Without this, organisations simply don’t know when users and corporate data are at risk.”
In conclusion, Cosgrove observed: “Organisations are at their weakest post-breach when it comes to fraud. As we saw with Equifax, hackers almost immediately distributed phishing attempts to try and capitalise on the incident. Users affected by this breach should be extremely vigilant in confirming the source of all e-mails that are sent to their e-mail Inbox. They should also change their password directly through Ticketmaster’s website and most certainly sign up for the credit monitoring service that Ticketmaster has offered.”
Dr Guy Bunker, senior vice-president of products at Clearswift, said: “This is the first major breach where GDPR shared responsibility comes into play as it was the sub-contractor/data processor which had the leak. The episode highlights the importance of understanding the full information chain. In order to gain an overarching understanding, businesses should conduct an audit – or at least ask for a statement – on the information security which the other parties have in the chain. It might be that sub-contractors have sub-contractors, so this knowledge is essential. There also needs to be a complete understanding of what’s being shared and why. In the past, organisations might ‘overshare’ because it was easier than creating the sub-set which was needed. Hidden columns in spreadsheets were not uncommon.”
Bunker continued: “There are several ways in which the malware could have been installed in this case. Perhaps it was a badly patched system which meant there was a vulnerability which could be exploited, or there could have been a phishing attack with a ‘weaponised’ document or a URL resulting in malware. Once inside the organisation, then the malware could readily spread. As is the case with all data breaches, the first piece to have in place is a plan. It looks like Ticketmaster has a plan, reporting within the required timeframe and working on unearthing the facts. Of course, this is reacting after the horse has bolted and there needs to be other controls in place to create the Best Practice defence-in-depth approach.”
Good ‘standard’ security controls
In addition, Bunker highlighted: “The first step is to prevent the bad stuff from coming in. This means ensuring that applications and the OS are suitably patched and having good ‘standard’ security controls in place such as intrusion detection or prevention on the network as well as anti-virus on e-mail, web and the endpoint. Additional controls such as sandboxing, or structural sanitisation, can be deployed to detect and mitigate the risk from ‘weaponised’ documents. Ideally, a business will monitor inside the network for anomalous activity as well, whether this is on network traffic or applications, such that it can identify any potential malicious activity across the network.”
Also, Bunker explained: “Finally, it’s a case of preventing the good stuff from going out. Use a Data Loss Prevention (DLP) solution, or a next generation Adaptive DLP solution, to detect and remove sensitive information from being transmitted to unauthorised individuals. An Adaptive approach will ensure that continuous collaboration is maintained without compromising information.”
Bunker pointed out that security within any operation is only as strong as the weakest link. “If that weak link is one of the suppliers or partners then this will cause issues. Ensure that your suppliers, partners and all within the information chain have at least as strong an information security posture as your own or the consequences will be falling foul of the GDPR and, with it, the potential for huge fines, not to mention the damage to the business’ reputation and customers. Remember that those customers are only a click away from the competition.”