UPDATED 22:14 EST / JUNE 28 2018

2973768998_2f2f0bf227_o INFRA

Ticketmaster UK confirms customer data stolen via hack it ignored in April

The U.K. division of ticketing giant Ticketmaster Entertainment Inc. has been hacked and customer data stolen, but even worse is the revelation that it was warned of the security issue in April but ignored it.

Ticketmaster UK first confessed to the hack on Wednesday, saying that it had identified malicious software on a customer support product hosted by an external supplier and some of its customers’ personal or payment data may have been accessed by an unknown third party.

The company initially said only 5 percent of customers in the U.K. were affected by the hack, which included the theft of names, addresses, email addresses, telephone numbers, payment details and Ticketmaster login details. But an exact number is hard to pin down. Computer Business Review reported Thursday that it could be as few as 40,000 records but noted that it appears the data stolen was unencrypted because stolen credit card details have been used by the hackers.

Those behind the hack gained access to the data via a JavaScript vulnerability in customer support software provided by Inbenta Technologies Inc., confirmed by Inbenta itself, to obtain access.  Where the hack becomes messy is that Monzo Bank Ltd. claims to have told Ticketmaster of the breach in April and even had meetings with Ticketmaster to discuss it, but Ticketmaster did nothing in the months following to address it.

Fred Kneip, chief executive officer of CyberGRX Inc., told SiliconANGLE that despite ignoring the earlier warning, the breach is a textbook example of why third-party breaches can be so difficult to prevent.

“Ticketmaster has thousands of third parties that they interact with, but it only takes a single vulnerability introduced by one – in this case an AI chatbot provider – to create the opportunity for hackers to access customer data,” Kneip said. “Companies need to develop a more comprehensive understanding of the security controls of all third parties in their digital ecosystem and how that impacts their own risk exposure.”

Ben Johnson, co-founder and chief technology officer of Obsidian Security Inc., agreed that the hack highlights the risks inherent with outsourcing operations to third-parties, namely surrendering some ownership of security.

“What assurances do you have that they are taking the proper precautions and are holding themselves to the same security standards as your organization? What infrastructure are they running? How is it protected?” he cited as questions that need to be asked. “Ticketmaster is not the only enterprise that doesn’t have answers to these questions, and they won’t be the last organization to see their name in unflattering headlines for security incidents that didn’t actually have much to do with them.”

James Lerud, head of the behavioral research team for Verodin Inc., said that no matter who’s responsible for specific problems, the buck stops with Ticketmaster.

“Ticketmaster’s business model is centered around being a trusted third party between promoters and consumers,” he said. “A breach like this calls into question how much they can be trusted.”

The data theft, which occurred over the period of February to June this year, means that it’s likely that more details are yet to emerge, according to Paul Ducklin, senior technologist at Sophos Group PLC.

“Ticketmaster’s woes are only just starting,” Ducklin said. “Data breaches are bad news at the best of times. But the longer a breach lasts, and the further away from your own control it takes place, the harder it is to get to the bottom of it.”

Photo: yumiang/Flickr

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.