Ticketmaster UK Admits Personal Data Stolen In Hack Attack

An anonymous reader quotes a report from BBC: Ticketmaster has admitted that it has suffered a security breach, which the BBC understands has affected up to 40,000 UK customers. Malicious software on third-party customer support product Inbenta Technologies caused the hack, the firm said on Twitter. "Some personal or payment information may have been accessed by an unknown third party," it added. All affected customers have been contacted.

In the email to those customers, Ticketmaster said it had set up a website to answer any questions and advised them to reset their passwords. It also offered them a free 12-month identity monitoring service. It said the breach was likely to have only affected UK customers who purchased or attempted to purchase tickets between February and 23 June 2018. But, as a precaution, it said it had also informed international customers who had purchased or attempted to purchase tickets between September 2017 and 23 June 2018.

Re:

[Lab Rat Jason]

I don't think it's a problem of incentive, I think it's a problem of awareness, education, and investment: In my experience, upper management types are unaware of these issues because they literally don't read the news, or at least not tech news. Most of these breaches don't even make the mainstream media anymore. Then most IT management types think they have good security practices, so they're not worried about it too much, and if they're surrounded by yes-men, it's even worse. Finally for those few

Re:

[wiretrip]

Here in the EU we have GDPR - the fines for this kind of breach (if it happened after May 2018 - which this didn't funnily enough!!??) are 20 million Euros or 4 percent of annual global turnover - whichever is the greater!

Ireland too

[stereoroid]

Note that Ticketmaster UK handles processing for Ireland too, so if you've used ticketmaster.ie in the last 6 months, the advisory applies to you too.

GDPR, Please

[ytene]

I've no axe to grind when it comes to Ticketmaster. Never used their services.

However, if companies are going to wake up to the importance of protecting the data they collect so voraciously, they need a good incentive to do so. Much as Ticketmaster won't like this, one useful way of approaching this would be that, if it can be shown that they were negligent, then to levy the absolute maximum that the GDPR will allow (4% of global turnover?) as a fine.

Sadly, the only way that companies will even think

It wuz de haxx0rz, dey did done de haxx0rin'

[Anonymous Coward]

Nope, it's still ticketmaster's fault for letting the horses bolt. Likewise BeauHD is still a poser and a wannabe editor.

Third party

[manu0601]

Malicious software on third-party customer support product Inbenta Technologies caused the hack

The term "third party" suggests Inbenta operates the service and would be somehow liable. But if Ticketmaster operated it on its own, there is no Inbenta liability. The article is not clear about the situation.

Credit and shame where it's due

[Zocalo]

It appears that Monzo (a UK online bank) noticed this breach [monzo.com] through anomalous transactions on their cards as early as April 6th, notified TicketMaster about the possible issue immediately and started proactively replacing cards that had been used to make purchases through TicketMaster. Representatives from TicketMaster visited Monzo's offices on April 12th to gather further information - a whole week(!) after the initial notification - but then apparently denied finding evidence of a breach to Monzo a further week later, finally coming clean by going public on 27th June, almost 12 weeks after they were first advised of a possible compromise that apparently they didn't resolve until 23rd June, per their own site. Note that Mastercard sent out a general advisory about the account data compromise to all banks on 21st June, which may have forced TicketMaster's hand on the timing of the public disclosure.

Given TicketMaster dropped the ball on security matters, I'm also left wondering if they dropped the ball on GDPR requirements too. The time period spans the introduction of the GDPR on May 29th so, in theory, TicketMaster should have notified the relevant authorities within three days of confirming they had been breached, or by June 1st, whichever came first. If they failed to do that, or were perhaps even hoping to cover the breach up, then TicketMaster's troubles might only just be getting started.