It has been reported that global ticketing giant See Tickets has begun notifying customers of a significant breach of their personal and financial information, which lasted for over two-and-a-half years. The company, owned by French media firm Vivendi, revealed the news in breach notification letters published by various US states. An official statement from either business has so far not been forthcoming.
The full story can be found here: https://www.infosecurity-magazine.com/news/see-tickets-discloses-major-card/
Retailers are some of the most viable targets for threat actors precisely because these businesses gather, process, and house so much information about their customers. These companies have a responsibility to carry out the due diligence of protecting the data they have already collected and processed, which, in this case, includes the 90,000 potentially impacted customers in Texas alone. Retailers need to understand that securing their data behind a perimeter is a good start, but applying data-centric security like tokenization, which replaces sensitive data elements with innocuous tokens, helps to mitigate situations like these when data breaches actually occur. Even if hackers get their hands on tokenized sensitive data, they can’t do anything with it and thus it becomes worthless (and protects data subjects from potentially catastrophic consequences). The investment for organizations into data-centric security is a much better scenario than the fallout from a data breach.
I am concerned that it took nearly a year for See Tickets to shut down this unauthorized activity by bad actors. Plus, it took an additional eight months to determine that customer credit card information had been compromised. This is simply unacceptable. The usual warnings to the possibly hundreds of thousands of affected customers. This includes keeping a careful eye on their credit card and banking accounts, ideally getting new credit and debit cards with new numbers, closely monitoring their credit reports for unauthorized transactions, and avoiding any unsolicited emails or messages from individuals posing as vendors or banking institutions.
See Tickets hasn’t provided specifics about the attack, but details in the report point to formjacking malware. See Tickets mentioned that checkout pages were affected, not that a database was breached. Formjacking, also called card skimming, is malware placed on the checkout page of a shopping site that steals credit card details entered by customers and sends them to the attacker. Formjacking requires the attacker to break into the site and install malware, such as Magecart, as if they were the site owner. Because the malware is part of an otherwise trusted site, shoppers have no way of knowing their credit card details are being stolen. See Tickets mentioned that this breach went on for over two-and-a-half years, which means the attacker likely planted the formjacking malware on the checkout page at that time and has been stealing credit cards ever since.
It may sound shocking that unauthorised activity can continue for several months after first being detected, but unfortunately it’s a situation that I see on a regular basis. Attackers often operate in a stealthy way which takes advantage of any lapse in an organisation’s IT environment. Therefore, it’s essential to get the basics right such as: having full visibility of the network and the devices connected to it, adopting two factor authentication and knowing where the most valuable data is so that it can be adequately protected. All of these measures should be implemented as part of a zero trust approach, where all users and activity should be considered unauthorised until it has been authenticated and then continuously validated.
The time that an intruder spends in a network before being detected and dealt with is often referred to as dwell time. Whilst industry reports such as Mandiant’s M-Trends show that overall dwell time is decreasing, on average attackers are still remaining active in the networks of their targets for 21 days. Given that even one day is enough to cause costly damage and to steal highly sensitive information, more work still needs to be done to deal with breaches quicker. Organisations should start by ensuring that they have the aforementioned basics covered which will reduce the likelihood of an attack being successful and minimise the impact of any breaches that do occur.