Skip to content
Naked Security Naked Security

Online ticketing company “See” pwned for 2.5 years by attackers

Don't be a cybersecurity slowcoach - you need to spot possible attacks as soon as you can.

See Tickets is a major global player in the online event ticketing business: they’ll sell you tickets to festivals, theatre shows, concerts, clubs, gigs and much more.

The company has just admitted to a major data breach that shares at least one characteristic with the amplifiers favoured by notorious rock performers Spinal Tap: “the numbers all go to 11, right across the board.”

According to the email template that See Tickets used to generate the mailshot that went to customers (thanks to Phil Muncaster of Infosecurity Magazine for a link to the Montana Department of Justice website for an official copy), the breach, its discovery, its investigation and remediation (which are still not finished, so this one might yet go all the way to 12) unfolded as follows:

  • 2019-06-25. By this date at the latest, cybercriminals had apparently implanted data-stealing malware on event checkout pages run by the company. (Data at risk included: name, address, zip code, payment card number, card expiry date, and CVV number.)
  • 2021-04. See Tickets “was alerted to activity indicating potential unauthorized access”.
  • 2021-04. Investigation launched, involving a cyberforensics firm.
  • 2022-01-08. Unauthorised activity is finally shut down.
  • 2022-09-12. See Tickets finally concludes that attack “may have resulted in unauthorised access” to payment card information.
  • 2022-10. (Investigation ongoing.) See Tickets says “we are not certain your information was affected”, but notifies customers.

Simply put, the breach lasted nearly two years before it was spotted at all, but not by See Tickets itself.

The breach then continued for nine more months before it was properly detected and remediated, and the attackers kicked out.

The company then waited another eight months before accepting that data “may” have been stolen.

See Tickets than waited one more month before notifying customers, admitting that it still didn’t know how many customers had lost data in the breach.

Even now, well over three years after the earliest date at which the attackers are known to have been in See Ticket’s systems (though the groundwork for the attack may have predated this, for all we know), the company still hasn’t concluded its investigation, so there may yet be more bad news to come.

What next?

The See Tickets notification email includes some advice, but it’s primarily aimed at telling you what you can do for yourself to improve your cybersecurity in general.

As far as telling you what the company itself has done to make up for this long-running breach of customer trust and data, all it has said is, “We have taken steps to deploy additional safeguards onto our systems, including by further strengthening our security monitoring, authentication, and coding.”

Given that See Tickets was alerted to the breach by someone else in the first place, after failing to notice it for nearly two years, you can’t imagine it would take very much for the company to be able to lay claim to “strengthening” its security monitoring, but apparently it has.

As for the advice See Tickets handed out to its customers, this boils down to two things: check your financial statements regularly, and watch out for phishing emails that try to trick you into handing over personal information.

These are good suggestions, of course, but protecting yourself from phishing would have made no difference in this case, given that any personal data stolen was taken directly from legitimate web pages that careful customers would have made sure they visited in the first place.

What to do?

Don’t be a cybersecurity slowcoach: make sure your own threat detection-and-response procedures keep pace with the TTPs (tools, techniques and procedures) of the cyberunderworld.

The crooks are continually evolving the tricks they use, which go way beyond the old-school technique of simply writing new malware.

Indeed, many compromises these days hardly (or don’t) use malware at all, being what are known as human-led attacks in which the criminals try to rely as far as they can on system administration tools that are already available on your network.

The crooks have a wide range of TTPs not merely for running malware code, but also for:

  • Breaking in to start with.
  • Tiptoeing round the network once they’re in.
  • Going undetected for as long as possible.
  • Mapping out your network and your naming conventions as well as you know them yourself.
  • Setting up sneaky ways as they can of getting back in later if you kick them out.

This sort of attacker is generally known as an active adversary, meaning that they are often just as hands-on as your own sysadmins, and able to blend in with legitimate operations as much as they can:

Just removing any malware the crooks may have implanted is not enough.

You also need to review any configuration or operational changes they may have made, too, in case they’ve opened up a hidden backdoor through which they (or any other crooks to whom they sell on their knowledge later) may be able to wander back in later at their leisure.

Remember, as we like to say on the Naked Security podcast, even though we know it’s a cliche, that cybersecurity is a journey, not a destination.

If you don’t have enough time or expertise to keep pressing ahead with that journey on your own, don’t be afraid to reach out for help with what’s known as MDR (managed detection and response), where you team up with a trusted group of cybersecurity experts to help to keep your own data breach dials well below a Spinal Tap-like “11”.


Huh? I thought PCI compliance required safeguards on all this stuff? Were they never audited?

Small non-profits in the US use PayPal or Square and absorb the 2-3% burden because they recognize they don’t have capability to meet PCI requirements. I guess they didn’t realize they could simply ignore the requirements.


Maybe they were compliant? (As the annual vehicle safety check in the UK makes clear, passing the test is not proof of roadworthiness… it’s just a minimum mandatory check without which you can’t use the vehicle at all. In other words, if you fail you know you are *not* roadworthy, but that’s where the grading stops.)


I don’t mean to criticize, but according to the article it seems to be almost 2 years from the earliest known date the crooks were in the system (2019-06-25) until SeeTickets was alerted to the breach (2022-04), not 2.5 years.

Did my math break, or am I maybe misunderstanding/mis-reading something?


No, it was a mistake… the 2.5 years includes the time between knowing about it and “fixing” it. I have edited accordingly to say “nearly two years” for the 2019-06 to 2022-04 period.

Thanks for the comment!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!