The U.K. division of ticketing giant Ticketmaster Entertainment Inc. has been hacked and customer data stolen, but even worse is the revelation that it was warned of the security issue in April but ignored it.

Ticketmaster UK first confessed to the hack on Wednesday, saying that it had identified malicious software on a customer support product hosted by an external supplier and some of its customers’ personal or payment data may have been accessed by an unknown third party.

The company initially said only 5 percent of customers in the U.K. were affected by the hack, which included the theft of names, addresses, email addresses, telephone numbers, payment details and Ticketmaster login details. But an exact number is hard to pin down. Computer Business Review reported Thursday that it could be as few as 40,000 records but noted that it appears the data stolen was unencrypted because stolen credit card details have been used by the hackers.

Those behind the hack gained access to the data via a JavaScript vulnerability in customer support software provided by Inbenta Technologies Inc., confirmed by Inbenta itself, to obtain access.  Where the hack becomes messy is that Monzo Bank Ltd. claims to have told Ticketmaster of the breach in April and even had meetings with Ticketmaster to discuss it, but Ticketmaster did nothing in the months following to address it.

Fred Kneip, chief executive officer of CyberGRX Inc., told SiliconANGLE that despite ignoring the earlier warning, the breach is a textbook example of why third-party breaches can be so difficult to prevent.

“Ticketmaster has thousands of third parties that they interact with, but it only takes a single vulnerability introduced by one – in this case an AI chatbot provider – to create the opportunity for hackers to access customer data,” Kneip said. “Companies need to develop a more comprehensive understanding of the security controls of all third parties in their digital ecosystem and how that impacts their own risk exposure.”

Ben Johnson, co-founder and chief technology officer of Obsidian Security Inc., agreed that the hack highlights the risks inherent with outsourcing operations to third-parties, namely surrendering some ownership of security.

“What assurances do you have that they are taking the proper precautions and are holding themselves to the same security standards as your organization? What infrastructure are they running? How is it protected?” he cited as questions that need to be asked. “Ticketmaster is not the only enterprise that doesn’t have answers to these questions, and they won’t be the last organization to see their name in unflattering headlines for security incidents that didn’t actually have much to do with them.”

James Lerud, head of the behavioral research team for Verodin Inc., said that no matter who’s responsible for specific problems, the buck stops with Ticketmaster.

“Ticketmaster’s business model is centered around being a trusted third party between promoters and consumers,” he said. “A breach like this calls into question how much they can be trusted.”

The data theft, which occurred over the period of February to June this year, means that it’s likely that more details are yet to emerge, according to Paul Ducklin, senior technologist at Sophos Group PLC.

“Ticketmaster’s woes are only just starting,” Ducklin said. “Data breaches are bad news at the best of times. But the longer a breach lasts, and the further away from your own control it takes place, the harder it is to get to the bottom of it.”

Photo: yumiang/Flickr