data breach

Event ticketing giant Ticketmaster UK experienced an ongoing data breach affecting 40,000 people over the last several months, many of whom have since fallen victim to scams.

The breach was disclosed by the company on June 23, and included a full range of customer information, including names, addresses, phone numbers, payment data, logins and passwords.

As Wired noted, the breach offers a textbook version of what an organization should not do in the aftermath of a cyber event where the best practices remain urgency, transparency and empathy.

Ticketmaster had been warned about the breach in April by Monzo, a UK-based bank after they had an uptick in fraud complaints. The incidents only affected customers who had purchased tickets through the service. Ticketmaster initially ignored Monzo’s, and declined to follow up for months.

The breach was caused by Ticketmaster’s recycling of code from one of their contractors, a company called Ibenta. The code was intended for the website’s chat functionality, and was not secure. Hackers were able to intercept incoming data and orders because the feature was also available on the site’s payment pages.

“The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat,” the CEO of Inbenta said in a public statement.

Takeaways

The Ticketmaster UK breach is a perfect example of organizational hubris. They chose to ignore warnings from a third-party that was in a position to know something had happened, and thousands were hurt as a result. It is also a great example of what a compromise and/or breach response looks like at an organization with no cyber solutions in place.

No matter the size or nature of the enterprise, it exists in a larger ecosystem comprised of other businesses and entities. No business is immune from cyber security compromises.

The Ticketmaster UK breach serves as a reminder us of two certainties in the world of data compromise:

  1. Your organization may not be directly responsible for a data breach, but you are who you hire. Third parties that you rely on are a major cause, as are poor communication about cyber security with those vendors.
  2. Your organization may not discover your data breach. It may be noticed by a third party.

Ticketmaster’s failure to recognize that a large percentage of data breaches are discovered and reported by third party organizations demonstrates a failure to create a company-wide culture where cybersecurity is a priority–from the boardroom to the mailroom.

Financial institutions, credit card companies,  law enforcement and tax collectors are so many canaries in the coalmine, as it were, since they see the results of a breach (A.K.A. fraud).

The damage to Ticketmaster UK’s reputation is increasingly the karmic payback that these failures of cybersecurity protocol and culture engender. If you don’t have a cybersecurity plan in place, and a culture of awareness about the dangers out there, you’re a news story waiting to happen.