Ticketmaster UK has warned of a potential personal data breach four days after detecting malware in a third-party artificial intelligence-based customer support chatbot service.
The company said the infected service was disabled across all Ticketmaster websites as soon as it was discovered that malware on the service, hosted by Inbenta Technologies and based in the US, was exporting UK customers’ data to an unknown recipient.
Affected websites include Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb.
Information that may have been compromised includes: name, address, email address, telephone number, payment details and Ticketmaster login details.
Investigations into the incident are ongoing, but Ticketmaster believes that less than 5% of its global customer base has been affected, adding that customers in North America have not been affected.
The company has contacted UK customers who bought, or attempted to buy, tickets between February and 23 June 2018 to inform them that their data may have been compromised and to advise them to change their passwords. Up to 40,000 UK customers could be affected, according to ITV News.
Customers are also advised to be on the lookout for attempts by scammers to use the incident to trick them into providing personal information and to monitor their bank accounts and credit cards for fraudulent transactions.
Ticketmaster said any customers who have not received an email are unlikely to have been affected, based on its investigations.
“Forensic teams and security experts are working around the clock to understand how the data was compromised,” the company said.
Ticketmaster said it is also working with relevant authorities, credit card companies and banks. It is also offering affected customers a free 12-month identity monitoring service.
A spokesperson for the National Cyber Security Centre (NCSC) said: “We are aware of a cyber incident affecting Ticketmaster. The NCSC is working with our partners to better understand the incident.”
Ticketmaster customers who are concerned should read the data security update the company has published on its website, the NCSC said.
A spokesperson for the Information Commissioner’s Office said: “Organisations have a legal duty to ensure that people’s personal information is held securely. We have been made aware of an issue concerning Ticketmaster and will be making enquiries.”
Javvad Malik, security advocate at AlienVault said the incident reinforces the importance of vetting all third parties for the access they require and to have ongoing monitoring and threat detection controls in place that can raise alerts when a third party is accessing corporate systems.
“This is a long-standing risk that many companies face,” he said. “Target was breached in 2014 by compromising a third-party heating, ventilation and air-conditioning supplier.”
Malik said this risk will only increase as companies adopt more cloud services and providers. “Cloud services often offer great convenience through which multiple providers can offer and integrate services,” he said. “But it remains vitally important that companies are aware of who is accessing its systems and data, and why, keeping a particularly close eye on critical data.”
Lee Munson, security researcher at Comparitech.com, said organisations need to think beyond their own security perimeters and consider tight segregation of data wherever possible.
“To its credit, Ticketmaster UK has informed customers just a few days after it says it discovered the incident, which makes a refreshing change and is most likely influenced by new notification rules imposed by the General Data Protection Regulation [GDPR],” he said.
Oz Alashe, CEO of CybSafe, said weaknesses in a company’s cyber security defences are often found in its vast network of suppliers, partners and third-party products.
“While most large businesses already have a cyber security strategy in place, their smaller suppliers often don’t,” he said. “The cyber defences of any one organisation is only as strong as the defences of all the businesses and products it entrusts with its data.”
According to Alashe, CybSafe’s own study into SME suppliers in 2017 revealed that one in seven did not have any cyber security protocols in place and one supplier in five was not worried about data loss at all.
“One thing is for certain, though,” he said. “Now that GDPR has come into force, the stakes are raised, and fines for this kind of occurrence are on the cards.”
Patrick Hunter, director at One Identity, said Ticketmaster appears to have fallen foul of the sub-processor parts of the GDPR.
“They need to make sure they are compliant but so are all the third parties that share their consumers’ data,” he said. “They will need to look at their internal procedures and those of their suppliers again and find out how to stop these sorts of things happening in the first place.”
According to Hunter, education is usually the first thing to look at. “We should be asking that question with every breach: someone, somewhere made a mistake,” he said. “They happen – but how can they be mitigated? Educate the users so they don’t fall for phishing attacks, but also stop the accounts of admins having direct access to servers and critical accounts.”
Hunter also recommend the use of password stores and two-factor authentication as a minimum to protect accounts that inevitably get abused during a hack or breach.
Brooks Wallace, European head for Trusted Knight, said that in cases like this, details often turn up for sale on the dark web, rather than in the hands of the original hackers, and then end up being used for fraudulent transactions and, in some cases, identity theft.
“When used to make transactions, fraudsters often start by testing small transactions to make sure it works and then ramp up to bigger purchases,” he said. “Anyone who thinks they may have been caught up in this breach needs to keep a very careful eye on their bank accounts and potentially contact their bank to change their cards.
“Also, anyone who is a Ticketmaster customer needs to watch out for phishing emails. After an incident like this, criminals from around the world will jump at the chance to try and catch a few unsuspecting people out.”