Security Market Segment LS
Friday, 29 June 2018 06:35

Ticketmaster warns Australians their credit card details could be at risk too Featured

By

American multinational ticket sales and distribution company Ticketmaster has warned Australian customers that they, too, could be at risk of having their credit card details leaked after the discovery of malware at the company's British operations.

While Ticketmaster UK blamed third-party supplier Inbenta Technologies for the incident, Inbenta said that the breach had been caused by Ticketmaster directly applying a customised piece of JavaScript without notifying its team.

While the UK branch announced the breach on 28 June, digital bank Monzo said in a statement it had identified potential signs of a breach back in April and cancelled the cards of all of its customers who could have been affected. It said it had informed Ticketmaster of its suspicions on 12 April.

The Guardian reported that the breach had affected tens of thousands of customers of the British operation. It said that a number of Ticketmaster customers had fraudulent transactions debited from their accounts. Money transfer service Xendpay, Uber gift cards and Netflix were among the services on which the fraudsters spent.

Monzo said about 50 of its customers had reported fraudulent transactions on their cards on 6 April. "We immediately replaced their cards. This happens every day, as banks are constantly targeted by financial criminals, so this wasn’t immediately unusual. But as always, we did some analysis to try to identify any trends that might help our customers," the company said

"After investigating, our Financial Crime and Security team noticed a pattern: 70% of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster."

In a statement sent to customers in Australia, Ticketmaster said its UK branch had identified malicious software on a customer support hosted by Inbenta Technologies, a third-party supplier.

"As a result of Inbenta’s product running on Ticketmaster International websites, some of our customers’ personal or payment information may have been accessed by an unknown third party," the company said.

Inbenta said in a statement, it had confirmed that the source of the data breach was a single piece of JavaScript code, that was customised by Inbenta to meet Ticketmaster’s particular requirements. "This code is not part of any of Inbenta’s products or present in any of our other implementations," the company said.

"Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.

"We have resolved the vulnerability as of 26 June. We have also thoroughly checked all custom and general scripts and snippets, and we are completely confident that no other customer of Inbenta has been compromised in any way."

Australian customers who had purchased, or tried to buy, tickets between September 2017 and 23 June were sent the warning notice from Ticketmaster.

The company advised all customers who had been notified would need to change their passwords the next time they logged in. Additionally, customers who had been affected were offered a free 12-month identity monitoring service with "a leading provider".

Commenting on the incident, Eduard Goodman, global privacy officer for security vendor CyberScout, described the breach as a perfect example of organisational hubris.

"By ignoring and downplaying several indicators raised by a third-party bank trying to simply give Ticketmaster a heads-up that they were likely having an issue, Ticketmaster has now placed tens of thousands of individuals at risk with a large number of their impacted customers now suffering actual fraud as a result," he said.

Ticketmaster’s inability to realise that many data breaches were discovered and reported by third parties, "demonstrates a clear lack of understanding of the manner in which information security failings are increasingly being discovered".

"Organisations ranging from financial institutions and card companies to law enforcement and tax collectors have increasingly been the ‘canary in the coalmine’ for other organisations by discovering and pointing out previously unknown security breaches.

"The Ticketmaster breach reminds us of two certainties in the world of data breaches: First, if it isn’t your organisation that caused a data breach then it will be some third party you rely on. Second, if it isn’t your organisation that discovers a data breach then it will some third party that discovers it for you. But if you ignore either of these certainties you do so at your organisation’s peril."

James Lerud, head of the behavioural research team at security company Verodin, said: "Ticketmaster's business model is centred around being a trusted third party between promoters and consumers. A breach like this calls into question how much they can be trusted.

"Any company that outsources parts of their business that includes sensitive data needs to be extremely cautious to ensure they are not outsourcing security because the responsibility of safeguarding consumer data cannot be outsourced.

"In cases where sensitive data handling has to be outsourced, extra effort needs to be taken to continuously verify that proper controls are in place. A periodic paper audit does not cut it, a program where controls are continually measured and improved must be implemented.

"Both consumers and host companies should expect such a program to be in place before trusting a third party organisation."

Another security professional, Tyler Moffitt, senior threat research analyst at Webroot, said: "Our world is becoming increasingly more automated and bots will continue to replace humans for many tasks.

"However, using bots to handle payment information is asking for trouble in our current landscape. I'm not surprised that attackers found a vulnerability in the JavasSript code the bots use to handle this sensitive valuable information.

"Monzo bank had even warned of this hack back in April, but Ticketmaster denied it. I'm curious what the GDPR repercussions will be of this breach that affected over 40,000 UK users." He was referring to the General Data Protection Regulation, a privacy law that took effect across the European Union on 25 May.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments