What you need to know about the Ticketmaster data breach – and what you should learn from it

On June 27, global ticketing company Ticketmaster announced it was the latest company to suffer from a malicious data breach.  Up to 4,000 UK customers could be affected, with names, email addresses, telephone numbers, payment details and login information compromised.

At first glance, one could assume that there isn’t much businesses need to do in the wake of the Ticketmaster data breach announcement, save raising awareness amongst their employees and recommending anyone who uses the service updates their passwords and keeps a close eye on their bank statements.

However, the story that is emerging highlights some issues that all businesses would be wise to consider – and showcases the good, the bad and the ugly of data security.

the good the bad and the ugly

The Good: Monzo

Start-up internet bank Monzo is the only player in the Ticketmaster data breach story that is emerging from it with a decidedly good-practice gloss.

The bank has revealed that it first suspected the breach as early as the 6th of April, when somewhere in the region of 50 customers got in touch to report fraudulent transactions on their accounts. Subsequent routine analysis conducted by Monzo’s Financial Crime and Security team revealed 70 percent of the affected customers had used their cards with Ticketmaster between December 2017 and April 2018.  This seemed unusual to Monzo’s team, as only 0.8% of its total customer base were Ticketmaster customers.

It was enough to warrant Monzo notifying Ticketmaster immediately on the 12th of April.  Ticketmaster duly responded to say, “Our investigation shows no evidence of a breach and we don’t believe we’re the source of this”.

Monzo were unimpressed and unconvinced.  On Friday the 6th of April, Monzo software engineer Daniel Chatfield, cognisant that without confirmation of the source of the breach from Ticketmaster it might be entering dangerous legal territory to name the company, sent out an encrypted tweet which he finally decrypted the day of the announcement by Ticketmaster: it had detailed the breach.

In the meantime, Monzo acted swiftly to protect its customers and raise awareness within the financial sector.  Without mentioning Ticketmaster directly, through Thursday the 19th of April and Friday the 20th of April, Monzo replaced 6,000 cards for customers it deemed at risk.  It notified the US Secret Service, Mastercard and reached out to other banks to ask if they’d seen anything similar.

For other companies, Monzo’s swift investigation, remedial action and intensive communication should be something of a blueprint of how to respond to a data breach.

The Bad: Use of Third-Party Software

Ticketmaster revealed on the 27th of June that it had identified the breach and its source: the use of a third-party chatbot app supplied by software company Inbenta.

Ticketmaster uses an Inbenta AI chatbot to answer customers’ queries on its website.  The vulnerability arose from a piece of Javascript that Inbenta developers had customised specifically for Ticketmaster.  According to Inbenta, unknown to them, Ticketmaster had then used this script on its payments page.

Hackers discovered the script and modified it.  As a result, since February those hackers have been using it to harvest payment and other personal information from the Ticketmaster website – spawning the fraudulent activity identified by Monzo.

Inbenta was notified by Ticketmaster on the 23rd of June and claimed to have resolved the issue by the 26th.  However, the responses from Ticketmaster to both Monzo and Inbenta highlights the need to properly vet third-party providers for such business-critical operations.

Ticketmaster is far from alone in using third-party software tools to deliver its services.  Businesses need to have a fresh think about the security implications of their relationships with 3rd party suppliers.

Ticketmaster says it failed to identify the source of the breach immediately because it stemmed from a third-party tool.  Inbenta says, “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability.”

These comments suggest that poor oversight on the part of Ticketmaster and poor communication between Ticketmaster and Inbenta appear to be the source of the problem.

The story shows us how, as businesses increasingly move workloads to the cloud and export more of their IT function, it becomes ever-more imperative to seek specialist expert and independent advice to fulfil the due diligence aspects of the purchasing process, especially around IT security and potential data breaches.

The story also highlights how supply chains must change to enable a far greater collaboration between customer and supplier.  These conversations may also well benefit from expert oversight.

The Ugly: The Financial Costs

Finally, the ugly: the potentially ruinous financial fall-out for Ticketmaster.  The reputational and brand damage and subsequent loss of earnings and shareholder value is yet to be counted.

Meanwhile, Ticketmaster customers are dealing with the very real cost of fraudulent activity on their bank accounts and credit cards.  Monzo estimates the cost of refunding its customers for fraudulent activity is around £15,000.  But Monzo is a relatively small bank, and it acted swiftly

to prevent further fraud.  For the wider Ticketmaster customer base affected by the incident, the potential cost is likely to be far greater.

The failure of Ticketmaster to respond to Monzo’s original breach notification has New Statesman raising the possibility of legal action against Ticketmaster.  While this seems unlikely, the Information Commissioner’s Office (ICO) in the UK is certainly investigating.

The ICO says it is unsure at the moment whether the breach will be subject to new GDPR legislation, or the earlier 1998 Data Protection Act which preceded GDPR.  The uncertainty which law applies arises from the timings involved: when the incident took place (when the 1998 law applied) or when breach was reported by Ticketmaster (after GDPR had come into force).

If ICO decides the latter is applicable, the Ticketmaster story could become a high-profile test case of the application of GDPR and the fines organisations can expect to face under it.  GDPR makes provision for firms to be fined up to four percent of global turnover; Ticketmaster’s parent company Live Nation Entertainment made more than $10bn last year. This would result in a fine of 400 million dollars.

What to do now

  • If you are a customer of Ticketmaster International, Ticketmaster UK, GETMEIN! or TicketWeb websites and you are worried your personal information may have been compromised, follow the advice on the National Cyber Security Centre (NCSC) website: https://www.ncsc.gov.uk/guidance/ncsc-advice-ticketmaster-customers
  • If you are a business and you would like more information about how to assess the security of your third-party providers, speak with your Netstar account manager today and we will be happy to offer advice and develop a plan for you.
  • Learn from the Monzo example; ensure you are in a position to act swiftly to contain a data breach should the worst happen. With good planning, you should be able to transform a potentially bad news story into a positive one.  Your Netstar account manager can offer advice about developing a Security Policy.

If you aren’t already a Netstar customer, but you would like advice on any of these issues, please contact us via our contact form or call us 02036 574 489.