The popular ticket sales and distribution company Ticketmaster has notified the users of its UK site that their personal information may have been accessed by an unauthorised third party.
Payment information is also understood to have been compromised.
According to the BBC, as many as 40,000 UK customers – who include users of the Ticketmaster International, GETMEIN! and TicketWeb websites – could have been affected by the incident.
Ticketmaster has set up a website to answer customers’ questions and has offered them 12 months’ free identity monitoring. Users have also been advised to reset their passwords.
On Saturday 23 June, Ticketmaster discovered that a malware infection on a third-party support product hosted by Inbenta Technologies was exfiltrating Ticketmaster customer data to an unkown third party.
[EDIT: The third party was later identified as Magecart.]
Ticketmaster immediately disabled the Inbenta product across all its websites.
According to Ticketmaster: “UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 may be affected as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018.”
Inbenta, however, says that Ticketmaster was responsible:
“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”
Whichever company is proven right, the incident highlights the importance of data security, especially now the GDPR (General Data Protection Regulation) is in effect.
Under the new law, data controllers are responsible for the security of personal data processed on their behalf by data processors, and are liable for administrative fines of up to €20 million or 4% of annual global turnover (whichever is greater), as well as legal action from data subjects.
The BBC reports that Ticketmaster is “confident” it has complied with the GDPR.
The Information Commissioner’s Office is investigating, and the National Cyber Security Centre is monitoring the situation.