While the UK branch announced the breach on 28 June, digital bank Monzo said in a statement it had identified potential signs of a breach back in April and cancelled the cards of all of its customers who could have been affected. It said it had informed Ticketmaster of its suspicions on 12 April.
The Guardian reported that the breach had affected tens of thousands of customers of the British operation. It said that a number of Ticketmaster customers had fraudulent transactions debited from their accounts. Money transfer service Xendpay, Uber gift cards and Netflix were among the services on which the fraudsters spent.
Monzo said about 50 of its customers had reported fraudulent transactions on their cards on 6 April. "We immediately replaced their cards. This happens every day, as banks are constantly targeted by financial criminals, so this wasn’t immediately unusual. But as always, we did some analysis to try to identify any trends that might help our customers," the company said
Why? Traditionally banks have worked in the shadows on card misuse. Banks notify firms all the time they've likely been owned, and never disclose in public. Lots of those orgs then don't disclose to customers. How it has been for decades.— Kevin Beaumont (@GossiTheDog) June 28, 2018
In a statement sent to customers in Australia, Ticketmaster said its UK branch had identified malicious software on a customer support hosted by Inbenta Technologies, a third-party supplier.
"As a result of Inbenta’s product running on Ticketmaster International websites, some of our customers’ personal or payment information may have been accessed by an unknown third party," the company said.
"Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.
"We have resolved the vulnerability as of 26 June. We have also thoroughly checked all custom and general scripts and snippets, and we are completely confident that no other customer of Inbenta has been compromised in any way."
Australian customers who had purchased, or tried to buy, tickets between September 2017 and 23 June were sent the warning notice from Ticketmaster.
The company advised all customers who had been notified would need to change their passwords the next time they logged in. Additionally, customers who had been affected were offered a free 12-month identity monitoring service with "a leading provider".
Commenting on the incident, Eduard Goodman, global privacy officer for security vendor CyberScout, described the breach as a perfect example of organisational hubris.
"By ignoring and downplaying several indicators raised by a third-party bank trying to simply give Ticketmaster a heads-up that they were likely having an issue, Ticketmaster has now placed tens of thousands of individuals at risk with a large number of their impacted customers now suffering actual fraud as a result," he said.
Ticketmaster’s inability to realise that many data breaches were discovered and reported by third parties, "demonstrates a clear lack of understanding of the manner in which information security failings are increasingly being discovered".
"Organisations ranging from financial institutions and card companies to law enforcement and tax collectors have increasingly been the ‘canary in the coalmine’ for other organisations by discovering and pointing out previously unknown security breaches.
"The Ticketmaster breach reminds us of two certainties in the world of data breaches: First, if it isn’t your organisation that caused a data breach then it will be some third party you rely on. Second, if it isn’t your organisation that discovers a data breach then it will some third party that discovers it for you. But if you ignore either of these certainties you do so at your organisation’s peril."
James Lerud, head of the behavioural research team at security company Verodin, said: "Ticketmaster's business model is centred around being a trusted third party between promoters and consumers. A breach like this calls into question how much they can be trusted.
"Any company that outsources parts of their business that includes sensitive data needs to be extremely cautious to ensure they are not outsourcing security because the responsibility of safeguarding consumer data cannot be outsourced.
"In cases where sensitive data handling has to be outsourced, extra effort needs to be taken to continuously verify that proper controls are in place. A periodic paper audit does not cut it, a program where controls are continually measured and improved must be implemented.
"Both consumers and host companies should expect such a program to be in place before trusting a third party organisation."
Another security professional, Tyler Moffitt, senior threat research analyst at Webroot, said: "Our world is becoming increasingly more automated and bots will continue to replace humans for many tasks.
"However, using bots to handle payment information is asking for trouble in our current landscape. I'm not surprised that attackers found a vulnerability in the JavasSript code the bots use to handle this sensitive valuable information.
"Monzo bank had even warned of this hack back in April, but Ticketmaster denied it. I'm curious what the GDPR repercussions will be of this breach that affected over 40,000 UK users." He was referring to the General Data Protection Regulation, a privacy law that took effect across the European Union on 25 May.