Central Tickets confirms data breach exposing personal information of users

London-based discount theatre ticketing platform Central Tickets experienced a significant data breach in July that compromised the personal information of many users. The breach, which occurred on July 1, 2024, exposed users’ names, emails, phone numbers, and other sensitive data, although the company only became aware of the incident in September 2024.

The breach affected a staging database used for testing purposes, which was separate from Central Tickets’ main website and application. Despite being isolated, this database still contained valuable user data, including hashed passwords, which an unauthorized hacker accessed.

Central Tickets responded by immediately notifying the Information Commissioner’s Office (ICO) within the 72-hour window required by GDPR, locking down the compromised system, and enforcing password resets for all users. CEO Lee McIntosh issued a formal apology, ensuring users that steps were being taken to strengthen their cybersecurity defenses to avoid future incidents.

The number of affected users has not been publicly disclosed, but Central Tickets has warned customers to be cautious of potential phishing attempts. The company urged vigilance when dealing with unfamiliar emails, phone calls, or text messages.

Hackread.com, a cybersecurity news platform, traced the actions of the hacker responsible for the Central Tickets breach, which operates under the alias “0xy0um0m.” Hackread.com revealed that the hacker gained access to Central Tickets’ systems on July 2, 2024, and offered the stolen data for sale on a hacking forum for $3,000.

In September 2024, “0xy0um0m” leaked data from 1 million Central Tickets users, including full names, email addresses, phone numbers, IP addresses, hashed passwords, and details about events customers had attended. Admin logs, referral codes, and account creation dates were also disclosed, raising concerns about how much sensitive data had been exposed.