Over the past few days, the global ticket and events site Ticketmaster have been e-mailing their customers to let them know their details have been compromised following a hack. It seems that anyone who bought a ticket via the site between February and June 2018 is likely to have had their data compromised. As well as names, addresses (post and e-mail), and phone numbers – they announced that Credit Card details had also been compromised.
From there, things get a little murky – and give a frightening insight into the security practices at Ticketmaster. They said *they* detected a breach on June 23rd. In reality, that’s not true. They only found out about the breach when a card provider noticed that 60% of card replacements due to fraudulent activity had been used on a Ticketmaster (or subsidiary) site.
The biggest problem here, however, is the timeline. Not only have Ticketmaster and their in-house security team failed to spot the compromise (in a third party – aka outsourced – part of their process), they were actually informed of the breach on April 6th, when the stolen card data started appearing in suspicious transactions. The provider (Monzo) invited the Ticketmaster “security” team and presented the data. Ticketmaster moved to conduct an “investigation” and concluded that there was no compromise on their system.
Checksumming your static files might be a pain, but it also lets you know your code has changed without your knowledge when you run your next scan. This can be automated quite easily. Instead, the response appears to have been “stick your head in the sand” while their customers personal data continued to be siphoned off by an unauthorised third party. Either way, they have clearly sat on their hands since April, when they were first made aware of the breach. Their use of “June 23rd” puts them in a worse place – has they announced the problem when they were first aware of it, the Data Protection Act 1998 would have been used by the ICO. By claiming they discovered the breach on June 23rd, the Data Protection Act 2018 should apply – with the full force of GDPR in place.
Two Up IT can provide regular vulnerability checks at reasonable prices. We can also provide automated checksuming solutions, which will alert you should any critical files change. Whilst it is the IT equivalent of “mucky work”, it is – like physical “mucky work” essential. It is much easier to actively secure your systems than it is to complete an ICO investigation – and it shows your clients much more respect too.