The Ticketmaster Breach: A Case Study in Transaction Stack Security for E-Commerce Sites

07.11.18

Trevor Reschke Head of Threat Intelligence

Late last month, Ticketmaster – one of the UK’s largest online ticketing companies – admitted a major data breach affecting the payment details of 40,000 customers due to malware that had accessed the payment page on its web application.  

 

As more details came to light in the fallout of the announcement, it became clear that this incident had all the hallmarks of true data breach disaster. From ignored early warnings, to third party suppliers, to misappropriated JavaScript, and thousands of credit and debit card details in the wild – the attack on Ticketmaster UK is a case study for the importance of transaction stack security for e-commerce sites. 

 

How the Breach Unfolded 

On June 27th, Ticketmaster reported a data breach through malicious software on a third-party customer support product provided by Ibenta Technologies. The statement made clear that the malware had been immediately disabled on discovery, the relevant authorities had been notified, and that the company had contacted the 40,000 UK and international customers who purchased between February and June 2018 and were suspected to be affected.  

 

In addition, Ticketmaster stated that it had security experts working around the clock to investigate the breach, the company had set up a website to answer questions on the attack, and was even offering customers a free 12-month identity monitoring service. It seemed like Ticketmaster was to be a case study example of how to get things right when handling a data breach.  

 

However, digital “challenger bank” Monzo had a different story to tell. According to a post on its website, Monzo had noticed a correlation between fraudulent activity on its customer accounts and recent purchases from the Ticketmaster website as far back as April, and had alerted the ticketing site to the issue. While no action was taken by Ticketmaster, in the intervening period between April and June, Monzo had pre-emptively sent 6,000 new cards to its customers. 

 

Ibenta Technologies also had something to say on the breach. While the third-party supplier did admit that the breach was due to a piece of JavaScript code that it had customized for Ticketmaster, the CEO claimed that the company was unaware that Ticketmaster was planning to apply the script to its payment page. According to Ibenta, if they’d known Ticketmaster’s intentions, they would have advised against it due to a greater risk of vulnerability. 

 

The Consequences of the Breach 

This is a breach destined to have far reaching ramifications. Of course, the first one to note is the impact on the innocent party: the customers.  

 

While Ticketmaster was quick to state that only 5 percent of its customer base was affected, the information compromised is of a highly valuable nature – including not just names, addresses, email addresses, telephone numbers, and Ticketmaster log-in details, but also payment information.  

 

No matter how many customers are involved, the fact that payment card information has been caught up in this breach is hugely concerning. As we discussed with the BBC and other news outlets, in cases like this, details often end up for sale on the dark web, rather than in the hands of the original hackers themselves, and then end up being used for fraudulent transactions and in some cases identity theft. Ticketmaster customers will have to keep a very careful eye on their bank accounts and potentially contact their banks to change their debit and credit cards. 

 

Ticketmaster customers also need to watch out for phishing emails. After an incident like this, criminals from around the world will jump at the chance to try and catch unsuspecting victims by pretending to be Ticketmaster. 

 

Of course, there will also be consequences for Ticketmaster. One of the first breaches to fall under Europe’s new General Data Protection Regulation (GDPR), the UK authority will have a tough case on its hands given the conflicting statements between Ticketmaster, its supplier Ibenta Technologies, and indeed Monzo, regarding who holds responsibility for the breach and when it was discovered. Both factors will dictate what, if any, fine Ticketmaster will receive and it is bound to be an interesting test case for GDPR, which, in theory, will be far stricter on careless data handling. 

 

Lessons Learned 

In terms of response to the breach, there was a lot that Ticketmaster did right. If the vulnerability did indeed only come to light on June 23rd, it’s likely that the Information Commissioner’s Office in the UK would treat the company favorably – as it clearly went to some lengths to inform authorities, alert its customers, and offer support. Of course, it’s potential downfall is that, if what Monzo says is true and that it had been alerted to the breach in April, its delayed response is inexcusable. By comparison, Monzo demonstrated decisive customer action and impressive fraud monitoring capabilities (no other UK bank recognized a trend or alerted Ticketmaster). Financial institutions should take note. 

 

Of course, no parties would have to respond if Ticketmaster had properly protected its web application and there had been no breach in the first place. This attack is yet another example of the great risk cybercrime poses to e-commerce and financial service companies. The information they handle is extremely valuable and hackers are out there developing innovative ways to access it and exploit it – which is exactly what happened here. 

 

There is nothing more sensitive for an e-commerce site than its transaction stack – the connected software and systems where payment details are exchanged between the customers and the company web application. Organizations have to be able to protect against malware throughout the entire stack. We call this Full Transaction Stack Protection as our solution Protector Air is the only unified solution that safeguards the full transaction stack against both cyberattacks and fraud. To find out more click one of the links below.  

Request a Free Trial Download Whitepaper Now

 

blog-post-logo