Ticket purchasing platform Ticketmaster has disclosed a data breach which may have impacted as many as 40,000 UK customers.
Data exposed includes names, addresses, email addresses, telephone numbers, payment details and passwords. The site has warned customers to be on the lookout for fraud and identity theft, and is offering a free 12-month identity monitoring service to the affected customers.
According to digital bank Monzo, a number of Ticketmaster customers have experienced fraudulent transactions, with destinations of outgoing payments including money transfer service Xendpay, Uber gift cards, Netflix, and others.
Though Ticketmaster claims to serve more than 230 million customers a year globally, it says that only UK customers who purchased or attempted to purchase tickets between February and 23 June 2018 are likely to have been affected. As a precautionary measure, it says that it has also informed international customers who purchased or attempted to purchase tickets between September 2017 and 23 June 2018.
The breach also affects customers of TicketWeb and resale website Get Me In!, both of which are UK websites owned by Ticketmaster.
The platform says that all affected customers have been notified, and that “forensic teams and security experts are working around the clock” to understand how the breach occurred.
According to Ticketmaster, the company discovered on June 23 that malware on a customer support product hosted by Inbenta Technologies, an external third-party supplier, was exporting UK customers’ data to an unknown third-party.
However, Monzo’s statement, by its head of financial crime Natasha Vernier, said that the bank noticed a spike of fraudulent transactions in April which almost exclusively affected Ticketmaster users. She says that Monzo notified Ticketmaster on April 12 but was told a few days later that “an internal investigation had found no evidence of a breach”. She says that banks belonging to the UK Finance group were also made aware.
Ticketmaster says that in addition to notifying customers of the breach, it has also informed all relevant authorities. The NCSC is also monitoring the situation.
Update, 29/06: Jordi Torras, CEO of Inbenta, has confirmed that the source of the data breach was a single piece of JavaScript code, which was customised for Ticketmaster by Inbenta.
“The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat,” Torras said.
He confirmed that hackers were able to locate, modify and use the custom script to steal payment information sent via the page. However, he assured customers that the vulnerability has now been fixed, and that no customers other than Ticketmaster were impacted.
