The winners and losers of the Ticketmaster data breach

Ticketmaster announced last night it had experienced a hack that saw the data of 40,000 UK customers breached.

The company identified the root cause of the attack as malicious software in its third-party chatbot operated by Inbenta Technologies.

All affected customers have been contacted, and Ticketmaster has set up a specific website for customers who have questions about the data breach. It has offered affected customers a 12-month identity monitoring tool and advised them to change their password.

Since the public announcement of the breach, it has emerged that Ticketmaster had been informed of a potential breach by digital, mobile-only bank Monzo. The bank states 50 customers got in touch on 6^th April about fraudulent transactions and, after an internal investigation, Monzo discovered that 70% of those customers had a Ticketmaster account compared to just 0.8% of all customers.

After the pattern continued over the course of a week, Monzo contacted Ticketmaster, who said it would launch an internal investigation. As more fraudulent transactions were logged, Monzo made the decision to replace all customer cards that had been affiliated to a Ticketmaster account – 6000 in total. Monzo claimed that on 19^th April, Ticketmaster’s internal investigation concluded that there had been no breach.

It’s unclear what happened between this date and the public announcement of the data breach on 27^th June; we also don’t know when Ticketmaster reported this breach directly to the Information Commissioner’s Office (ICO), but if it was around the time of the public announcement the company could potentially be in breach of GDPR.

The General Data Protection Regulation states that companies must inform the ICO of a breach no later than 72 hours after discovery. The businesses should also inform affected customers “with undue delay” unless they can prove the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.”

Inbenta’s CEO has released a statement which states the Javascript code in Ticketmaster’s solution had been customised to meet the customer’s needs and then applied to the payments page without Ticketmaster informing Inbenta. 

This breach is something of a ‘he said, she said’ situation, with all involved parties releasing strong statements and somewhat absolving themselves of responsibility. Monzo has come out on top with its proactivity in supporting customers that had been previously affected, and those it deemed likely to be affected. Similarly, while a lot of the media attention is focusing on Inbenta Technologies and the malicious code that led to the breach, the company has been clear that this breach will not occur again.

Ticketmaster, on the other hand, only contacted Inbenta a week ago, and is now being accused of reporting the breach later than required. If the company did discover the breach in April when notified by Monzo, it could be in hot water. The company’s finances and reputation could be impacted by this incident; so what should you do in the event of a data breach?

Report it immediately

As soon as you discover any data breach that poses risks to the customers affected – which is the case of Ticketmaster, as bank card information was breached and fraudulently used – you should prioritise informing both the ICO and the affected data subjects.

Prove you had ‘reasonable measures’ in place

The ICO won’t necessarily fine companies for experiencing a data breach. The data governing body is more interested in how this breach occurred in the first place. If you can prove that you adopted best-practice processes and put cyber security measures in place, the ICO is unlikely to punish you. A great tool for proving you’ve implemented security measures is root cause analysis, which will show you where, when and how a breach occurred in the first instance and how far it has spread.

Make it right

When you notify affected customers, it’s important to offer support and guidance. Ticketmaster has done this by telling customers to change their passwords, as well as offering the free identity monitoring tool for 12 months to make amends. The security of your customers and their data should come first; you should be open, honest and supportive.

Learn from it

On average, Ransomware victims are hit twice. Cyber criminals won’t stop targeting your data and research has shown that if they successfully hack you once, they’re more likely to do it again. by using a tool like root cause analysis, you can understand what your weak points are and build them up so they’re stronger than ever before. It could be that an employee lost an unencrypted laptop; you need to implement encryption. Perhaps an unsuspecting colleague fell for an email-borne Ransomware attack. You can employ a Ransomware-specific product and even use simulated phishing attacks to train your staff. This will stand you in good stead with the ICO.