Ticketmaster UK has confirmed that it recently detected a malicious software on a customer support product hosted by a third party supplier that was covertly exporting personal and financial data of around 5 percent of its customers to a third party.
The malicious software, which was detected by Ticketmaster UK's IT teams on 23rd June, was found hidden on a customer support product hosted by Inbenta Technologies and according to Ticketmaster UK, gained access to personal and financial information of UK customers who purchased, or attempted to purchase, tickets between February and June 23 and international customers (except those in North America) who purchased, or attempted to purchase, tickets between September 2017 and June 23 this year.
Information accessed by hackers via the malicious software included names, addresses, email addresses, telephone numbers, payment details and Ticketmaster login details of around 40,000 Ticketmaster UK customers.
Insecure third-party software compromised
"On Saturday, June 23, 2018, Ticketmaster UK identified that malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster, was exporting UK customers' data to an unknown third-party. As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites.
As a result of Inbenta's product running on Ticketmaster International websites, some of our customers' personal or payment information may have been accessed by an unknown third-party. Forensic teams and security experts are working around the clock to understand how the data was compromised," said the firm in a blog post.
It added that Inbenta's product was running on Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb websites and as a precaution, it is now notifying all customer in the UK and abroad to reset their passwords when they next log into their accounts.
All Ticketmaster UK customers are also being asked to monitor their account statements for evidence of fraud or identity theft and to contact their banks if they do find that their accounts have been breached.
Ticketmaster can't abdicate responsibility
Commenting on the large-scale data breach that lasted several months before the malicious software was discovered, Stephen Gailey, solutions architect at Exabeam said that Ticketmaster UK, like other organisations that outsource some or all of their IT services, needs to understand that it can’t abdicate responsibility for security.
"It is the responsibility of every organisation to protect customers' data and to ensure that their downstream service providers are also taking adequate precautions. Similarly organisations that get breached need to realise that simply offering identity monitoring services is not an adequate response, particularly under GDPR. Where is the ICO in all of this?" he said.
Martin Jartelius, CSO at Outpost24, said that while many firms are now including code from other organisations' servers into their own for ad tracking or for tracking user experience and interactions, they must maintain control over their servers so that they are able to detect the presence of malicious software.
"By including code from other organizations servers (rather than hosting it yourself) you are exposed to vulnerabilities or risks that are out of your control. Trust is essential in a partnership, but control is even more important – ensure that when you secure your applications you demand the same from vendors you intend to integrate or work with," he said.
Joseph Carson, chief security scientist at Thycotic says that the latest breach exposes that cybercriminals are using Artificial Intelligence (AI) to exploit and target victims via third-party companies.
"Guaranteeing your supply chain is protecting and securing their products and solutions can longer be ignored. Many companies are using chat bots to help automate their customer experiences, having been lured into fancy buzzwords like Machine Learning, Artificial Intelligence and Virtual Assistance.
"Cyber criminals will always target the weakest link and, in this particular case, I believe this breach is worse than what we know so far. Yes, personal details, financial information and passwords have been likely exposed and now available on the darknet for cyber criminals to abuse. However, it will be interesting to learn whether the cyber criminals also accessed the Artificial Intelligence information that could be used for a more targeted type of attack," he adds.