Ticketmaster, a subsidiary of Live Nation, the world’s largest live entertainment ticketing sales and marketing company, has been hacked, with potentially millions estimated to have had their payment details accessed.

It is unclear how those details were protected. Information which may have been compromised includes: name, address, email address, telephone number, payment details and Ticketmaster login details, the company said.

The company has yet to release a specific number for those affected, saying “less than five percent” of its global customer base has been impacted. The company sold 500 million tickets to 86 million fans last year.

A company spokesman told Computer Business Review it was working on getting a specific number, after issuing a statement three days after discovering the hack; as required under GDPR regulations.

Third Party Software from Inbenta Blamed

The company said today: “On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.”

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites. Less than 5% of our global customer base has been affected by this incident. Customers in North America have not been affected.

“As a result of Inbenta’s product running on Ticketmaster International websites, some of our customers’ personal or payment information may have been accessed by an unknown third-party.”

“Hey, We Didn’t Say Run that Script on your Payments Page…”

Inbenta, which provides its “Inbenta Case Management” system to clients globally, Shot the blame back at Ticketmaster in a statement released early the following day.

CEO of Inbenta, Jordi Torras, saying the issue was now “fully resolved”, wrote: “It has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements. This code is not part of any of Inbenta’s products or present in any of our other implementations.”

He added: “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

In an additional security FAQ the company added: “One of the advantages of hosting scripts at Inbenta’s servers that are embedded in our customer’s website is the flexibility that Inbenta can offer to our customers to have new functionalities or updates up and running quickly. The downside is that we cannot monitor which web pages our customers are embedding those scripts on and therefore we cannot prevent customers putting them in pages that collect sensitive information.”

“Although no customer is at risk at this point, we are working with them to make sure all the customized snippets and javascript files are solely hosted by our customers, so Inbenta’s technology will be solely accessed by our secured, standard RESTful API. Some of our customers are already using this RESTful API as the only access to our technology.”

Ticketmaster has opened https://security.ticketmaster.co.uk/ for those worried they have been affected.

ticketmaster
“Who’s been hacked?!”

Patrick Hunter, Director at One Identity, said: “Ticketmaster has fallen foul of the sub-processor parts of GDPR here.  They need to make sure that they are compliant but so are all the third parties that share their consumer’s data.”

He added: “They will need to look at their internal procedures and those of their suppliers again and find out how to stop these sorts of things happening in the first place.  Education is usually the first thing to look at.  We should be asking that question with every breach, someone, somewhere made a mistake.  They happen!”

He added: “But how can they be mitigated?  Educate the users so they don’t fall for phishing attacks (we can make an assumption here that Ticketmaster’s attack came from this route) but also stop the accounts of admins having direct access to servers and critical accounts.  Use password stores and two-factor authentication at a minimum to protect those critical accounts that inevitably get abused during a hack or breach.”

UPDATED 7.40 BST , June 28, 2018, with details from Inbenta.