ticketmaster hack image

Ticketmaster hack – a review.

Over the past few days, the global ticket and events site Ticketmaster have been e-mailing their customers to let them know their details have been compromised following a hack. It seems that anyone who bought a ticket via the site between February and June 2018 is likely to have had their data compromised. As well as names, addresses (post and e-mail), and phone numbers – they announced that Credit Card details had also been compromised.

From there, things get a little murky – and give a frightening insight into the security practices at Ticketmaster. They said *they* detected a breach on June 23rd. In reality, that’s not true. They only found out about the breach when a card provider noticed that 60% of card replacements due to fraudulent activity had been used on a Ticketmaster (or subsidiary) site.

The biggest problem here, however, is the timeline. Not only have Ticketmaster and their in-house security team failed to spot the compromise (in a third party – aka outsourced – part of their process), they were actually informed of the breach on April 6th, when the stolen card data started appearing in suspicious transactions. The provider (Monzo) invited the Ticketmaster “security” team and presented the data. Ticketmaster moved to conduct an “investigation” and concluded that there was no compromise on their system.

In truth, they were partly correct. In reality, they failed to check the entire supply chain related to their operations. In this case, a supplier (Inbenta) provided Ticketmaster with a line of JavaScript which customised the providers product to suit Ticketmaster’s needs. This is where things get murky again. In their statement, Inbenta say they provided the custom line of JavaScript but did not know that Ticketmaster planned to use the code on their payments page. Had they known this, they would have “advised against it, as it incurs greater risk for vulnerability”. Hackers found and modified the code, altering it to steal the personal informatino of customers. In reality, Inbenta should have advised Ticketmaster of the potential vulnerability in the script, and where not to use it. In even better reality, Indebta shouldn’t have provided code which they knew could cause compromise.

The biggest culprit here is Ticketmaster, and their failure to investigate thoroughly is severly negligent. It also highlights the additional risks associated with outsourcing. Whoever creates the pages and code for Ticketmaster should also have realised the potential for compromise when integrating the JavaScript. The key point, however is this:

Hackers managed to modify a piece of code in February. This code was on the Ticketmaster site. Had Ticketmaster been regularly auditing their code, particularly vulnerable assets such as JavaScript, this would have been spotted and removed much sooner.

Checksumming your static files might be a pain, but it also lets you know your code has changed without your knowledge when you run your next scan. This can be automated quite easily. Instead, the response appears to have been “stick your head in the sand” while their customers personal data continued to be siphoned off by an unauthorised third party. Either way, they have clearly sat on their hands since April, when they were first made aware of the breach. Their use of “June 23rd” puts them in a worse place – has they announced the problem when they were first aware of it, the Data Protection Act 1998 would have been used by the ICO. By claiming they discovered the breach on June 23rd, the Data Protection Act 2018 should apply – with the full force of GDPR in place.

Two Up IT can provide regular vulnerability checks at reasonable prices. We can also provide automated checksuming solutions, which will alert you should any critical files change. Whilst it is the IT equivalent of “mucky work”, it is – like physical “mucky work” essential. It is much easier to actively secure your systems than it is to complete an ICO investigation – and it shows your clients much more respect too.

If you are interested in any of our security consultancy services, please get in touch!

Comments are closed.