Details still emerging, but logins and payment details breached on a significant scale
Ticketmaster, a subsidiary of Live Nation, the world’s largest live entertainment ticketing sales and marketing company, has been hacked, with potentially millions estimated to have had their payment details accessed.
It is unclear how those details were protected. Information which may have been compromised includes: name, address, email address, telephone number, payment details and Ticketmaster login details, the company said.
The company has yet to release a specific number for those affected, saying “less than five percent” of its global customer base has been impacted. The company sold 500 million tickets to 86 million fans last year.
A company spokesman told Computer Business Review it was working on getting a specific number, after issuing a statement three days after discovering the hack; as required under GDPR regulations.
Third Party Software from Inbenta Blamed
The company said today: “On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.”
“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites. Less than 5% of our global customer base has been affected by this incident. Customers in North America have not been affected.
“As a result of Inbenta’s product running on Ticketmaster International websites, some of our customers’ personal or payment information may have been accessed by an unknown third-party.”
“Hey, We Didn’t Say Run that Script on your Payments Page…”
Inbenta, which provides its “Inbenta Case Management” system to clients globally, Shot the blame back at Ticketmaster in a statement released early the following day.
He added: “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”
In an additional security FAQ the company added: “One of the advantages of hosting scripts at Inbenta’s servers that are embedded in our customer’s website is the flexibility that Inbenta can offer to our customers to have new functionalities or updates up and running quickly. The downside is that we cannot monitor which web pages our customers are embedding those scripts on and therefore we cannot prevent customers putting them in pages that collect sensitive information.”
Ticketmaster has opened https://security.ticketmaster.co.uk/ for those worried they have been affected.
Patrick Hunter, Director at One Identity, said: “Ticketmaster has fallen foul of the sub-processor parts of GDPR here. They need to make sure that they are compliant but so are all the third parties that share their consumer’s data.”
He added: “They will need to look at their internal procedures and those of their suppliers again and find out how to stop these sorts of things happening in the first place. Education is usually the first thing to look at. We should be asking that question with every breach, someone, somewhere made a mistake. They happen!”
He added: “But how can they be mitigated? Educate the users so they don’t fall for phishing attacks (we can make an assumption here that Ticketmaster’s attack came from this route) but also stop the accounts of admins having direct access to servers and critical accounts. Use password stores and two-factor authentication at a minimum to protect those critical accounts that inevitably get abused during a hack or breach.”
UPDATED 7.40 BST , June 28, 2018, with details from Inbenta.