SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Ticketmaster breached: here’s what seven security experts had to say
Fri, 29th Jun 2018
FYI, this story is more than a year old

Ticketmaster has revealed details of a malicious security breach that occurred on Saturday (June 23), admitting that customer data may have been compromised.

The ticketing vendor reported that it's UK arm identified malicious software on a customer support product hosted by Inbenta Technologies, who operates as a third-party supplier to Ticketmaster.

Ticketmaster says some of its customers' personal or payment information may have been accessed by an unknown third-party, as a result of Inbenta's product running on Ticketmaster International websites.

Other information which may have been compromised includes customer's name, address, email address, telephone number, and Ticketmaster login details.

In a statement on Ticketmaster's Australian website, the company said, “As soon as it was determined that there was potential unknown third-party access to certain personal information, Ticketmaster took swift action to address the issue and protect customers.

The company says less than 5% of its global customer base has been affected by this incident, with customers in North America not at all affected.

Ticketmaster says those who may have been affected include UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018, as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018.

It also says that if customers have not been contacted via email, Ticketmaster doesn't believe them to be affected.

TechDay has received a number of comments from cybersecurity professionals representing a range of organisations, giving their take on the significance of the breach, whether Ticketmaster acted responsibly and what can now be done in the aftermath.

Here's what they had to say;

Australian Information Security Association (AISA)

AISA chairman, Damien Manuel has praised Ticketmaster for its swift reaction to the breach and being upfront about letting customers know. “I commend Ticketmaster for disclosing the data breach quickly and providing notification to affected customers encouraging them to be vigilant and check for fraudulent credit card transactions. In an age where we are dependent on complex digital systems, it is almost inevitable consumers will be impacted by data breaches,” Manuel says.

“This latest incident highlights the need for supply chain governance, as cybercriminals are now attacking the weakest points in the supply chain to gain access to data that can be monetised. The banking sector is very mature in this space and under APRA requirements, regular security audits are performed across the supply chain. “With the increase in data breach reporting, I urge organisations in every industry to perform similar cybersecurity reviews across their supply chains to help uplift the capability and maturity of those providers to build more robust and secure services. I also hope Ticketmaster uses this opportunity to help build business confidence by openly discussing the incident, so other organisations can learn from its experience.


In polarisation to AISA, global privacy officer at CyberScout, Eduard Goodman says the breach has come about as a result of the reckless actions of the ticketing vendor.

"The recent Ticketmaster UK breach is a perfect example of organisational hubris-by ignoring and downplaying several indicators raised by a third-party bank trying to simply give Ticketmaster a heads up that they were likely having an issue. Ticketmaster has now placed tens of thousands of individuals at risk with a large number of their impacted customers now suffering actual fraud as a result,” Goodman says.

“Ticketmaster's failure to recognise that a large percentage of data breaches are discovered and reported by third party organisations demonstrates a clear lack of understanding of the manner in which information security failings are increasingly being discovered.

“Organisations ranging from financial institutions and card companies to law enforcement and tax collectors have increasingly been the ‘canary in the coalmine' for other organisations by discovering and pointing out previously unknown security breaches.


SentinelOne Director of product management Migo Kedem says the breach represents an alarming trend on the rise.

“Every now and then we see cases where a legitimate application is either collecting unauthorised data or compromised to include malware or malicious info stealers. We've seen this happening with CCleaner, a popular Windows cleanup utility, infecting over 2.3 million users, discovered in April of last year,” Kedem says.

“I expect this trend to evolve even further. There are too many defence solutions relying on "who you are" rather than "what you do", so it becomes relatively easy to attack the supply chain of an application that was not designed to provide security.


Varonis director of sales engineers Matt Lock says the breach sends a message to consumers that any organisation that hosts their information can be breached and they need to exercise caution. “Any popular website like Ticketmaster is a good target for criminals. Consumers who purchased tickets must be careful and vigilant – the scammers will be out to further prey on those affected by the breach. It's bad enough if your credit card information is stolen, but don't fall for a scam in its wake,” Lock says.

“Don't respond to or click on any text messages or emails as scammers can easily camouflage their true identities. If you get a call from a number you don't recognise – don't answer. Check your payment card and bank statements on the regular to ensure nothing is amiss – criminals may try to charge small amounts to your card.

“If you suspect your payment card information was stolen, consider replacing your card. Know that criminals may now have your personal details and you could be a target in the long-term.


Verodin head of behavioural research James Lerud says a breach like this calls into question whether Ticketmaster can still be trusted by consumers.

"Ticketmaster's business model is centred around being a trusted third party between promoters and consumers. A breach like this calls into question how much they can be trusted,” he says.

“Any company who outsources parts of their business that includes sensitive data needs to be extremely cautious to ensure they are not outsourcing security because the responsibility of safeguarding consumer data cannot be outsourced.

“In cases where sensitive data handling has to be outsourced extra effort needs to be taken to continuously verify the proper controls are in place. A periodic paper audit does not cut it, a program where controls are continually measured and improved must be implemented.


In a similar vein to Verodin, Exabeam solutions architect Stephen Gailey says the breach serves as a wake-up call for Ticketmaster to take responsibility for the security of their customer's data, regardless how they use third-party technology partners.

"Ticketmaster, like other organisations that outsource some or all of their IT services, needs to understand that it can't abdicate responsibility for security. It is the responsibility of every organisation to protect customers' data and to ensure that their downstream service providers are also taking adequate precautions.

“Similarly organisations that get breached need to realise that simply offering identity monitoring services is not an adequate response, particularly under GDPR. Where is the ICO in all of this?"


Finally, Sophos released a list of things that customers can do if they fear they their information has been compromised or are unsure.

The actions that Sophos says customers can take include the following;

  • If you're one of the 40,000 account holders that Ticketmaster says was affected by the compromise, you should have received an email telling you to change your account password. This process should happen automatically the next time you try to log in.

  • If you haven't been contacted, it's still a good opportunity to ask yourself whether your Ticketmaster password is sufficiently strong. Change it if there's any doubt. (This can be done by visiting the Ticketmaster “Forgotten Password” link.)

  • Keep an eye on your bank and payment card statements. Ticketmaster said it will offer affected customers a free 12-month identity monitoring service with a “leading provider”, but whether you take that offer up or not, you need to be on the lookout for unauthorised activity on your accounts.

  • Replace your payment cards as soon as you can if you're on the list of Ticketmaster customers known to have been affected. In theory, the crooks oughtn't to have the 3-digit CVV code from the back of your card, and in Europe, they oughtn't to be able to clone your card, thanks to Chip and PIN, but you should get a new card (which invalidates the old one immediately) anyway.

  • Remember that it's not just card payments that are at risk – the stolen data includes names and addresses, which puts you at risk of identity theft.

  • Keep a special eye and ear out for fraudulent emails, instant messages and phone calls that claim to be connected to this incident. If someone contacts you “about the breach”, never call or message them back based on contact information they gave to you – always find an independent source for the relevant phone number or email address, such as a printed receipt.