Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ticketmaster UK Admits Personal Data Stolen In Hack Attack (bbc.com)

Posted by BeauHD on from the lost-and-found dept.

An anonymous reader quotes a report from BBC: Ticketmaster has admitted that it has suffered a security breach, which the BBC understands has affected up to 40,000 UK customers. Malicious software on third-party customer support product Inbenta Technologies caused the hack, the firm said on Twitter. "Some personal or payment information may have been accessed by an unknown third party," it added. All affected customers have been contacted.

In the email to those customers, Ticketmaster said it had set up a website to answer any questions and advised them to reset their passwords. It also offered them a free 12-month identity monitoring service. It said the breach was likely to have only affected UK customers who purchased or attempted to purchase tickets between February and 23 June 2018. But, as a precaution, it said it had also informed international customers who had purchased or attempted to purchase tickets between September 2017 and 23 June 2018.

17 comments

  1. What if? by Anonymous Coward · · Score: 0

    So, what if I publish all my data myself before the big boys lose it.

    Can I then sue them for copyright infractions when they let a 3rd party have it? Since 'data protection' which seems more of a myth.

    $10k a pop might be more incentive than $1 fines they seem to get.

    1. Re:What if? by Lab+Rat+Jason · · Score: 1

      I don't think it's a problem of incentive, I think it's a problem of awareness, education, and investment: In my experience, upper management types are unaware of these issues because they literally don't read the news, or at least not tech news. Most of these breaches don't even make the mainstream media anymore. Then most IT management types think they have good security practices, so they're not worried about it too much, and if they're surrounded by yes-men, it's even worse. Finally for those few that are in a position to act and aren't oblivious or apathetic, recognizing there is a problem and properly investing in prevention is something the organization as a whole is often not well positioned to spend a lot of money on. It's up to one IT manager to argue in budget hearings for a massive investment that only mitigates (poorly understood) risk and won't make the company any money.

      In short, even people who should be in the know, are poorly equipped to asses the risk and make the right choice.

      --
      Which has more power: the hammer, or the anvil?
    2. Re:What if? by wiretrip · · Score: 2

      Here in the EU we have GDPR - the fines for this kind of breach (if it happened after May 2018 - which this didn't funnily enough!!??) are 20 million Euros or 4 percent of annual global turnover - whichever is the greater!

  2. Ireland too by stereoroid · · Score: 2

    Note that Ticketmaster UK handles processing for Ireland too, so if you've used ticketmaster.ie in the last 6 months, the advisory applies to you too.

    --
    (this is not a .sig)
  3. Got Contacts By TM by Anonymous Coward · · Score: 0


    And it reads

    You got p0wned!

    That was it.

    1. Re: Got Contacts By TM by Anonymous Coward · · Score: 0

      Data security incident by third-party supplier

      On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.
      As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites.

      As a result of Inbentaâ(TM)s product running on Ticketmaster International websites, some of our customersâ(TM) personal or payment information may have been accessed by an unknown third-party.

      We are contacting you because you purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018. Whilst we have no evidence to suggest your data has been compromised, we are notifying you out of an abundance of caution.

      Forensic teams and security experts are working around the clock to understand how the data was compromised.

      We are working with relevant authorities, as well as credit card companies and banks.

      What we are doing

      - Ticketmaster International has established a dedicated website veiligheid.ticketmaster.nl to answer your questions about the Inbenta incident. You can also contact us via https://www.ticketmaster.nl/klantenservice

      - As a precautionary measure, all notified customers will need to reset their passwords when they next log into their accounts

      We recommend that you monitor your account statements for evidence of fraud or identity theft. If you are concerned or notice any suspicious activity on your account, you should contact your bank(s) and any credit card companies.

      Ticketmaster understands the importance of your personal information. We take the protection of that information very seriously and we are sorry to have to write to you in these circumstances.

      Faithfully,
      Team Ticketmaster

  4. l33t ISIS h@X0r sleeper cells by Anonymous Coward · · Score: 0

    ISIS has claimed responsibility, so lets go bomb someone.

  5. A "hack attack"? by Anonymous Coward · · Score: 0

    That's like the worst kind of hack.

  6. GDPR, Please by ytene · · Score: 1

    I've no axe to grind when it comes to Ticketmaster. Never used their services.

    However, if companies are going to wake up to the importance of protecting the data they collect so voraciously, they need a good incentive to do so. Much as Ticketmaster won't like this, one useful way of approaching this would be that, if it can be shown that they were negligent, then to levy the absolute maximum that the GDPR will allow (4% of global turnover?) as a fine.

    Sadly, the only way that companies will even think of taking the privacy of our data seriously is when it hits their share price and the performance bonuses as paid to their directors. When we make it absolutely, unmistakeably, crystal clear that loss of data like this will earn the maximum in fines, we might start to see companies taking our data a bit more seriously.

    1. Re:GDPR, Please by Anonymous Coward · · Score: 0

      You are 100% right.

  7. Identity Protection Subscription SCAMS by Anonymous Coward · · Score: 0

    I don't know what's worse? Having your identity stolen, or being told that those monitoring services are any sort of "solution?"

  8. It wuz de haxx0rz, dey did done de haxx0rin' by Anonymous Coward · · Score: 1

    Nope, it's still ticketmaster's fault for letting the horses bolt. Likewise BeauHD is still a poser and a wannabe editor.

  9. Third party by manu0601 · · Score: 1

    Malicious software on third-party customer support product Inbenta Technologies caused the hack

    The term "third party" suggests Inbenta operates the service and would be somehow liable. But if Ticketmaster operated it on its own, there is no Inbenta liability. The article is not clear about the situation.

    1. Re: Third party by Anonymous Coward · · Score: 0

      It's actually quite simple. Ticketmaster is liable to you and Inbenta is liable to Ticketmaster.

    2. Re: Third party by Anonymous Coward · · Score: 0

      Yeah, I'm interested in the free "identity monitoring service". I'll give you, again, all my personal information. Name, email? No problem.

  10. Credit and shame where it's due by Zocalo · · Score: 2

    It appears that Monzo (a UK online bank) noticed this breach through anomalous transactions on their cards as early as April 6th, notified TicketMaster about the possible issue immediately and started proactively replacing cards that had been used to make purchases through TicketMaster. Representatives from TicketMaster visited Monzo's offices on April 12th to gather further information - a whole week(!) after the initial notification - but then apparently denied finding evidence of a breach to Monzo a further week later, finally coming clean by going public on 27th June, almost 12 weeks after they were first advised of a possible compromise that apparently they didn't resolve until 23rd June, per their own site. Note that Mastercard sent out a general advisory about the account data compromise to all banks on 21st June, which may have forced TicketMaster's hand on the timing of the public disclosure.

    Given TicketMaster dropped the ball on security matters, I'm also left wondering if they dropped the ball on GDPR requirements too. The time period spans the introduction of the GDPR on May 29th so, in theory, TicketMaster should have notified the relevant authorities within three days of confirming they had been breached, or by June 1st, whichever came first. If they failed to do that, or were perhaps even hoping to cover the breach up, then TicketMaster's troubles might only just be getting started.

    --
    UNIX? They're not even circumcised! Savages!
  11. bring terry davis back by Anonymous Coward · · Score: 0

    this is what they get for not having the priest of the third temple terry davis protecting them and coding for them
    he could dispel the people who glow in the dark just with a flick of his wrist but now he is homeless and has to suck nignog dick to survive
    what a fate
    download and install templeOS, god says so