The data breach at Live Nation Entertainment-owned Ticketmaster (TM), believed to have seen customers’ names, addresses, email, telephone numbers and payment details compromised, was “only the tip of the iceberg” according to a report by cyber-security firm RiskIQ.
The hack, admitted by the ticketing giant last month, is believed to have been part of a “massive digital credit card-skimming campaign” by Magecart, which RiskIQ refers to as a “threat group” that targeted “payment information entered into forms” on Ticketmaster’s various websites.
“While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster,” says RiskIQ threat researcher Yonathan Klijnsma.
The data breach not only affected TM’s primary platform, but also its Ticketweb and resale site GetMeIn, as Inbenta’s product was running across all of three.
The company, which says it identified the problem on 23 June, has called in forensic and security experts to identify how the data had been accessed and was working with the Information Commissioner’s Office (ICO), as well as credit card companies, banks and relevant authorities.
However, digital bank Monzo says it warned TM of its concern about a series of dubious transactions on 12 April and was told the ticketing giant would investigate internally. The bank replaced the cards of 50 customers who had reported fraudulent transactions on 6 April. It then carried out an investigation that found 70 per cent of affected customers had used their cards with TM in the past five months.
TM has contacted all potentially affected customers, advising them to reset their passwords and offering them a free 12-month identity monitoring service. Customers in North America are not affected.
As a result of the breach, TM could face a multi-million-euro fine, or four per cent of turnover, under the European Union’s new General Data Protection Regulations (GDPR), which came into effect on 25 May.
TM declined to comment.
Just weeks ago, US company Ticketfly was hacked, with around 27 million customers’ data potentially compromised, including names, addresses, email and phone numbers (see Audience issue 221).
The San Francisco-based company was taken offline and took six days to become fully functioning again, forcing some promoter and venue clients to cancel or rearrange shows.