Blog

Ticketmaster ignored warnings months before data breach

Written by Jack Whisker | 02-Jul-2018 16:20:42

Ticketmaster have become one of the first companies to have a major data breach since the arrival of GDPR. Data including payment details, addresses, names and phone numbers of around 40,000 users have all been affected by the breach. Ticketmaster say the breach was first detected on the 23rd June and affected 5% of its customers.

Despite only appearing in the news this week it has been revealed that this breach was detected in April by upstart bank Monzo. They noticed a pattern between customers who reported fraudulent activity and had also made a recent purchase through Ticketmaster. On 6th April, 50 Monzo customers complained about someone using their details to spend money and 35 of them had previously used Ticketmaster. Monzo then began to alert Ticketmaster to the issue who said they would investigate internally however they believed that “no evidence of a breach was found, and no other banks were reporting similar patterns”.

The week after the meeting between Monzo and Ticketmaster, the fraud team found what they claim was ‘almost complete evidence’.

Monzo’s head of financial crime Natasha Vernier spoke to New Statesman “We noticed that one of our customers had a declined transaction at a merchant that fraudsters were spending the money at. The transaction had been declined because the expiry date was wrong. When looking at the customer’s account they had previously tried to spend money at Ticketmaster however this had failed because they had entered the same incorrect expiry date”.

Even after this case Monzo continued to give Ticketmaster evidence of a data breach to which Ticketmaster confidently replied that they have investigated and found no breach. It took Ticketmaster 3 months to figure out the source of the breach and the vulnerability was fixed within 3 days. It turned out Ticketmaster hadn’t been directed breached but one of their subcontractors, Inbenta Technologies had been. They operated a chatbot on the Ticketmaster site and hackers gain access through a line of code that had been used on the Ticketmaster payment page.

Monzo themselves spent around £50,000 on replacing cards for bank users who had used Ticketmaster but didn’t disclose until last week who the company was who had been breached. It is unknown as to whether Monzo will take legal action against Ticketmaster. Ticketmaster also face charges from the Information Commissioner’s Office (ICO) who are “making enquiries” and would be reaching a decision soon. Close attention will be paid as to whether Ticketmaster complied with regulation however whether they did or not might not affected many customers buying their tickets elsewhere next time.