View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 28, 2018updated 29 Jun 2018 11:39am

The Ticketmaster Hack is Worse Than First Thought

Warned in April, failed to spot issue; declining to reveal numbers

By CBR Staff Writer

Ticketmaster, which revealed a major breach of user payment details yesterday, was repeatedly warned it may have a problem by challenger bank Monzo as early as April, but an internal investigation failed to reveal any security issues.

That’s according to a blog by the London-based digital bank’s Head of Financial Crime, Natasha Vernier, published today. Worse, it reveals that the payment card details accessed have already been used fraudulently.

It was previously unclear whether payment details had been stolen in encrypted format or not. This shows that the hackers have usable access to the stolen card details.

The company is refusing to reveal the total number of those affected or even those it has contacted. Ticketmaster is referring press inquiries to its PR agency Freuds.

An agency spokesman said they “don’t have the global number” of those affected.

They also declined to say how many potential Ticketmaster customers in the UK had been contacted. The agency is saying “on background” that early estimates are 40,000 people in the UK have had their payment details swiped.

A spokesman said in an email to Computer Business Review: “However we have – erring on the side of caution – contacted a wider group who could possibly have been affected but there is no evidence that this has occurred.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

It refused to reveal the number of that “wider group”.

ticketmasterFraudulent Transactions Spotted in Early April

Vernier said: “On Friday 6th April, around 50 customers got in touch with us to report fraudulent transactions on their accounts and we immediately replaced their cards.”

“After investigating, our Financial Crime and Security team noticed a pattern: 70% of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster.”

As the scale of the issue grew, Monzo between April 19-20 sent out six thousand replacement cards to customers who had used their Monzo cards at Ticketmaster.

“Throughout this period we were in direct contact with Ticketmaster. On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”

Ticketmaster appears to have embedded a chatbot developed by Inbenta on its payments pages. Attackers found a vulnerability in the Javascript code, and used that to extract customer’s payment information as they were paying for tickets.

Javascript Vulnerability Blamed

It has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements.

CEO of Inbenta said: “It has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements.”

He added: “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

Senior software developer Krzysztof Zaborowski, at UK cybersecurity company ThinkMarble, however, raised questions surrounding Inbenta’s explanation of the events. He asked how can the code could be exploited without having access to the production environment or Content Delivery Network (CDN) behind the serving of the original JavaScript code.

“If the malicious actor had access to this ‘backend’ what else have they done and what dormant malicious code could still be residing ready to activate?”

Specialist officers from the UK’s National Cyber Security Centre (NSCC) are investigating, the NCSC said.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.