Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ticketmaster UK Admits Personal Data Stolen In Hack Attack (bbc.com)

Posted by BeauHD on from the lost-and-found dept.

An anonymous reader quotes a report from BBC: Ticketmaster has admitted that it has suffered a security breach, which the BBC understands has affected up to 40,000 UK customers. Malicious software on third-party customer support product Inbenta Technologies caused the hack, the firm said on Twitter. "Some personal or payment information may have been accessed by an unknown third party," it added. All affected customers have been contacted.

In the email to those customers, Ticketmaster said it had set up a website to answer any questions and advised them to reset their passwords. It also offered them a free 12-month identity monitoring service. It said the breach was likely to have only affected UK customers who purchased or attempted to purchase tickets between February and 23 June 2018. But, as a precaution, it said it had also informed international customers who had purchased or attempted to purchase tickets between September 2017 and 23 June 2018.

7 of 17 comments (clear)

  1. Ireland too by stereoroid · · Score: 2

    Note that Ticketmaster UK handles processing for Ireland too, so if you've used ticketmaster.ie in the last 6 months, the advisory applies to you too.

    --
    (this is not a .sig)
  2. Re:What if? by Lab+Rat+Jason · · Score: 1

    I don't think it's a problem of incentive, I think it's a problem of awareness, education, and investment: In my experience, upper management types are unaware of these issues because they literally don't read the news, or at least not tech news. Most of these breaches don't even make the mainstream media anymore. Then most IT management types think they have good security practices, so they're not worried about it too much, and if they're surrounded by yes-men, it's even worse. Finally for those few that are in a position to act and aren't oblivious or apathetic, recognizing there is a problem and properly investing in prevention is something the organization as a whole is often not well positioned to spend a lot of money on. It's up to one IT manager to argue in budget hearings for a massive investment that only mitigates (poorly understood) risk and won't make the company any money.

    In short, even people who should be in the know, are poorly equipped to asses the risk and make the right choice.

    --
    Which has more power: the hammer, or the anvil?
  3. GDPR, Please by ytene · · Score: 1

    I've no axe to grind when it comes to Ticketmaster. Never used their services.

    However, if companies are going to wake up to the importance of protecting the data they collect so voraciously, they need a good incentive to do so. Much as Ticketmaster won't like this, one useful way of approaching this would be that, if it can be shown that they were negligent, then to levy the absolute maximum that the GDPR will allow (4% of global turnover?) as a fine.

    Sadly, the only way that companies will even think of taking the privacy of our data seriously is when it hits their share price and the performance bonuses as paid to their directors. When we make it absolutely, unmistakeably, crystal clear that loss of data like this will earn the maximum in fines, we might start to see companies taking our data a bit more seriously.

  4. It wuz de haxx0rz, dey did done de haxx0rin' by Anonymous Coward · · Score: 1

    Nope, it's still ticketmaster's fault for letting the horses bolt. Likewise BeauHD is still a poser and a wannabe editor.

  5. Third party by manu0601 · · Score: 1

    Malicious software on third-party customer support product Inbenta Technologies caused the hack

    The term "third party" suggests Inbenta operates the service and would be somehow liable. But if Ticketmaster operated it on its own, there is no Inbenta liability. The article is not clear about the situation.

  6. Re:What if? by wiretrip · · Score: 2

    Here in the EU we have GDPR - the fines for this kind of breach (if it happened after May 2018 - which this didn't funnily enough!!??) are 20 million Euros or 4 percent of annual global turnover - whichever is the greater!

  7. Credit and shame where it's due by Zocalo · · Score: 2

    It appears that Monzo (a UK online bank) noticed this breach through anomalous transactions on their cards as early as April 6th, notified TicketMaster about the possible issue immediately and started proactively replacing cards that had been used to make purchases through TicketMaster. Representatives from TicketMaster visited Monzo's offices on April 12th to gather further information - a whole week(!) after the initial notification - but then apparently denied finding evidence of a breach to Monzo a further week later, finally coming clean by going public on 27th June, almost 12 weeks after they were first advised of a possible compromise that apparently they didn't resolve until 23rd June, per their own site. Note that Mastercard sent out a general advisory about the account data compromise to all banks on 21st June, which may have forced TicketMaster's hand on the timing of the public disclosure.

    Given TicketMaster dropped the ball on security matters, I'm also left wondering if they dropped the ball on GDPR requirements too. The time period spans the introduction of the GDPR on May 29th so, in theory, TicketMaster should have notified the relevant authorities within three days of confirming they had been breached, or by June 1st, whichever came first. If they failed to do that, or were perhaps even hoping to cover the breach up, then TicketMaster's troubles might only just be getting started.

    --
    UNIX? They're not even circumcised! Savages!