This data breach has been caused by an insider; a third party customer support AI company known as Ibenta was hit with malware. The malware attack on Ibenta was allowing hackers to effectively extract Ticketmaster consumer data.
“The malicious software, which Ticketmaster spotted on a customer support product hosted by Inbenta Technologies on Saturday, was exporting UK customers’ data to an unknown third-party, the firm said in a statement”, according to ITPRO.
What was stolen?
The 40,000 people affected resulted in an extensive amount of sensitive and critical data stolen. Hackers were able to steal names, email addresses, addresses, phone numbers, Ticketmaster account credentials, and payment card information.
The data stolen affects consumers who made a Ticketmaster purchase between September 2017 and June 23, 2018.
How was this breach realized?
Monzo, a mobile UK bank released a statement just after the breach was disclosed. According to Monzo, they warned Ticketmaster in April of suspicious and concerning activity relating to bankers accounts. Monzo reported around 50 bank account holders reported fraudulent activity. After Monzo conducted an investigation a common threat was identified. Monozo uncovered that 70% of those affected had made purchases with Ticketmaster from December 2017 and April 2018.
Monzo has stated that after reporting their findings and concerns to the ticket-selling giant, Ticketmaster told them an internal investigation would be carried out. A week later Ticketmaster reported that the investigation showed no signs of data breach and no other banking institutions had made reports similar to Monzo.
“When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf. In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster,” a Ticketmaster spokesperson said in a statement on Friday.
GDPR Data Regulations
Ticketmaster’s earliest accounts of data theft via Inbenta occurred in late 2017 which would have been under the Data Protection Act of 1998. The EU GDPR replaced the prior regulation on May 25, 2018. The breach did not cease until June 23, 2018.
Data breach lawyers have stated a GDPR investigation and fine is needed for this breach. Not only was Ticketmaster warned by Monzo in April but Ticketmaster is also required to announce a breach within 72 hours of discovery, rather than months. The time to disclose the data breach as well as the lengthy timespan that data was exposed both indicate trouble for Ticketmaster.
Ticketmaster’s fate is in the hands of the Information Commissioner’s Office (ICO). ICO could choose to penalize Ticketmaster under one data regulation or both. Will the GDPR fine of €17m be imparted on the company? It is too soon to know exactly how the ICO will handle Ticketmaster’s data breach. Get Fresh Blog Posts Straight to your Inbox!