The Ticketmaster breach – what happened and what to do

Live Nation Entertainment subsidiary Ticketmaster has admitted it has suffered a serious data breach affecting 40,000 of its British and international customers.
Anyone who used the Ticketmaster UK, GETMEIN! and TicketWeb sites to book tickets from February 2018 and 23 June 2018 may have had data compromised, including their name, email address, physical address, telephone number, Ticketmaster logins, and payment card details.
In addition, so-called “international customers” who bought, or tried to buy, tickets between September 2017 and 23 June 2018 could also be affected. (US customers are not part of the alert.)
The issue was caused by malware, spotted on 23 June 2018, that had infected a customer support system managed by Ticketmaster partner Inbenta Technologies, according to an email sent to affected account holders on Wednesday afternoon.
So far, the breach response is still at a stage described by Ticketmaster as follows:

Forensic teams and security experts are working around the clock to understand how the data was compromised.

In other words, we now all know that there was a breach, but not yet how it happened.

What’s happened to the stolen data?

Often, breach notifications refer to card payment data almost in passing, which invites readers to infer that although the data could have been compromised in theory, it wasn’t accessed in practice.
In this case, however, it seems pretty certain that payment card data was not only stolen but is also already being abused.
Digital banking company Monzo claims that the Ticketmaster website showed up as what’s known as a CPP (common point of purchase) in an above-average number of recent fraud reports:

On Friday 6th April [2018], around 50 customers got in touch with us to report fraudulent transactions on their accounts and we immediately replaced their cards.

The company noticed that 70% of these transactions had used the Ticketmaster site between December 2017 and April 2018.
And there’s more:

Given the pattern that was emerging, we decided to reach out to Ticketmaster directly. On Thursday 12th April [2018], members of the Ticketmaster security team visited the Monzo office so we could share the information we’d gathered. They told us they’d investigate internally.

Monzo said it had even sent out 6000 replacement cards in April 2018 to customers who had used Ticketmaster.
If Monzo has it right, it looks as though Ticketmaster was told of the problem more than two months ago, well before it acted on unusual activity last weekend, as stated in its notifiocation email:

On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.

That might have been prompted after MasterCard, also told of the issue by Monzo, issued an alert on 21 June 2018.
Ticketmaster may end up with questions from the UK Information Commissioner’s Office (ICO) about the apparent delay in telling its customers.

What to do?

• If you’re one of the 40,000 account holders that Ticketmaster says was affected by the compromise, you should have received an email telling you to change your account password. This process should happen automatically the next time you try to log in.
• If you haven’t been contacted, it’s still a good opportunity to ask yourself whether your Ticketmaster password is sufficiently strong. Change it if there’s any doubt. (This can be done by visiting the Ticketmaster “Forgotten Password” link.)
• Keep an eye on your bank and payment card statements. Ticketmaster said it will offer affected customers a free 12-month identity monitoring service with a “leading provider”, but whether you take that offer up or not, you need to be on the lookout for unauthorised activity on your accounts.
• Replace your payment cards as soon as you can if you’re on the list of Ticketmaster customers known to have been affected. In theory, the crooks oughtn’t to have the 3-digit CVV code from the back of your card, and in Europe they oughtn’t to be able to clone your card, thanks to Chip and PIN, but you should get a new card (which invalidates the old one immediately) anyway.
• Remember that it’s not just card payments that are at risk – the stolen data includes names and addresses, which puts you at risk of identity theft.
• Keep a special eye and ear out for fraudulent emails, instant messages and phone calls that claim to be connected to this incident. If someone contacts you “about the breach”, never call or message them back based on contact information they gave to you – always find an independent source for the relevant phone number or email address, such as a printed receipt.

WATCH NOW…