Ticketmaster, which revealed a major breach of user payment details yesterday, was repeatedly warned it may have a problem by challenger bank Monzo as early as April, but an internal investigation failed to reveal any security issues.
That’s according to a blog by the London-based digital bank’s Head of Financial Crime, Natasha Vernier, published today. Worse, it reveals that the payment card details accessed have already been used fraudulently.
It was previously unclear whether payment details had been stolen in encrypted format or not. This shows that the hackers have usable access to the stolen card details.
The company is refusing to reveal the total number of those affected or even those it has contacted. Ticketmaster is referring press inquiries to its PR agency Freuds.
An agency spokesman said they “don’t have the global number” of those affected.
They also declined to say how many potential Ticketmaster customers in the UK had been contacted. The agency is saying “on background” that early estimates are 40,000 people in the UK have had their payment details swiped.
A spokesman said in an email to Computer Business Review: “However we have – erring on the side of caution – contacted a wider group who could possibly have been affected but there is no evidence that this has occurred.”
It refused to reveal the number of that “wider group”.
Fraudulent Transactions Spotted in Early April
Vernier said: “On Friday 6th April, around 50 customers got in touch with us to report fraudulent transactions on their accounts and we immediately replaced their cards.”
“After investigating, our Financial Crime and Security team noticed a pattern: 70% of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster.”
As the scale of the issue grew, Monzo between April 19-20 sent out six thousand replacement cards to customers who had used their Monzo cards at Ticketmaster.
“Throughout this period we were in direct contact with Ticketmaster. On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”
He added: “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”
“If the malicious actor had access to this ‘backend’ what else have they done and what dormant malicious code could still be residing ready to activate?”
Specialist officers from the UK’s National Cyber Security Centre (NSCC) are investigating, the NCSC said.