Massive data breach exposes over half a million records from Ticket to Cash platform

A major data breach has exposed over 520,000 records linked to Ticket to Cash, an online platform facilitating ticket resales for concerts and live events. The discovery was made by cybersecurity researcher Jeremiah Fowler, who identified an unprotected 200GB database containing sensitive user information.

The database, which lacked encryption and password protection, was publicly accessible and held a wide array of data. It included names, email addresses, home addresses, and partial credit card numbers, along with thousands of digital ticket files, proof of ticket transfers, receipts, and supporting documents. The compromised files were in PDF, image, and JSON formats, offering clear evidence of real-world transactions processed through the platform.

Fowler traced the source of the exposed data to Ticket to Cash based on internal folder names and file structures. Ticket to Cash enables users to list tickets for resale across a vast network of more than 1,000 websites, collecting commissions only upon successful sales. Despite Fowler’s responsible disclosure to the company, his initial attempt to alert them went unanswered. The database remained unsecured for four days after the first notice, during which time the number of exposed records grew by over 2,000.

The exact origins of the data management failure remain uncertain. It has not been confirmed whether the exposed database was directly handled by Ticket to Cash or by an external contractor acting on its behalf. Additionally, there is no available evidence regarding how long the database had been publicly accessible or whether it had been accessed or downloaded by malicious actors. Only an in-depth internal investigation could reveal the duration and potential consequences of the breach.

This incident raises significant concerns about data privacy, particularly given the nature of the compromised information. Personally identifiable information (PII) combined with partial financial details can be misused for fraudulent purposes or identity theft. The breach comes at a time when digital ticketing continues to grow in popularity, further amplifying the risks associated with inadequate cybersecurity practices.

Criticism has also been directed at Ticket to Cash for its customer service, with users reporting delays in receiving payments through PayPal and difficulties in communicating with the company. Fowler echoed these concerns, citing the lack of response during his disclosure attempts.