Ticketmaster, which revealed a major breach of user payment details yesterday, was repeatedly warned it may have a problem by challenger bank Monzo as early as April, but an internal investigation failed to reveal any security issues.
That’s according to a blog by the London-based digital bank’s Head of Financial Crime, Natasha Vernier, published today. Worse, it reveals that the payment card details accessed have already been used fraudulently.
It was previously unclear whether payment details had been stolen in encrypted format or not. This shows that the hackers have usable access to the stolen card details.
The company is refusing to reveal the total number of those affected or even those it has contacted. Ticketmaster is referring press inquiries to its PR agency Freuds.
An agency spokesman said they “don’t have the global number” of those affected.
They also declined to say how many potential Ticketmaster customers in the UK had been contacted. The agency is saying “on background” that early estimates are 40,000 people in the UK have had their payment details swiped.
A spokesman said in an email to Computer Business Review: “However we have – erring on the side of caution – contacted a wider group who could possibly have been affected but there is no evidence that this has occurred.”
Content from our partners
It refused to reveal the number of that “wider group”.
Fraudulent Transactions Spotted in Early April
Vernier said: “On Friday 6th April, around 50 customers got in touch with us to report fraudulent transactions on their accounts and we immediately replaced their cards.”
“After investigating, our Financial Crime and Security team noticed a pattern: 70% of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster.”
As the scale of the issue grew, Monzo between April 19-20 sent out six thousand replacement cards to customers who had used their Monzo cards at Ticketmaster.
“Throughout this period we were in direct contact with Ticketmaster. On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”
Ticketmaster appears to have embedded a chatbot developed by Inbenta on its payments pages. Attackers found a vulnerability in the Javascript code, and used that to extract customer’s payment information as they were paying for tickets.
Javascript Vulnerability Blamed
It has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements.
CEO of Inbenta said: “It has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements.”
He added: “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”
Senior software developer Krzysztof Zaborowski, at UK cybersecurity company ThinkMarble, however, raised questions surrounding Inbenta’s explanation of the events. He asked how can the code could be exploited without having access to the production environment or Content Delivery Network (CDN) behind the serving of the original JavaScript code.
“If the malicious actor had access to this ‘backend’ what else have they done and what dormant malicious code could still be residing ready to activate?”
Specialist officers from the UK’s National Cyber Security Centre (NSCC) are investigating, the NCSC said.
