The popular ticket sales and distribution company Ticketmaster has notified the users of its UK site that their personal information may have been accessed by an unauthorised third party.
Payment information is also understood to have been compromised.
According to the BBC, as many as 40,000 UK customers – who include users of the Ticketmaster International, GETMEIN! and TicketWeb websites – could have been affected by the incident.
Ticketmaster has set up a website to answer customers’ questions and has offered them 12 months’ free identity monitoring. Users have also been advised to reset their passwords.
On Saturday 23 June, Ticketmaster discovered that a malware infection on a third-party support product hosted by Inbenta Technologies was exfiltrating Ticketmaster customer data to an unknown third party.
Ticketmaster immediately disabled the Inbenta product across all its websites.
According to Ticketmaster: “UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 may be affected as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018.”
The incident highlights the importance of supply-chain security, especially now the GDPR (General Data Protection Regulation) is in effect.
Under the new law, data controllers (such as Ticketmaster) are responsible for the security of personal data processed on their behalf by data processors (such as Inbenta), and are liable for administrative fines of up to €20 million or 4% of annual global turnover (whichever is greater), as well as legal action from data subjects.
The BBC reports that Ticketmaster is “confident” it has complied with the GDPR.
The Information Commissioner’s Office is investigating, and the National Cyber Security Centre is monitoring the situation.