Ticketmaster suffered a security breach believe to affect up to 40,000 UK customers. In tweet, firm confirmed that third-party customer support product Inbenta Technologies caused the hack and all affected customers have been contacted. IT security experts commented below.
Pravin Kothari, CEO at CipherCloud:
“Fool me once, shame on you. Fool me twice, shame on me. Ticketmaster’s website security was compromised by a malware laden chatbot which they had installed on quite a few of the Ticketmaster websites worldwide. This is deja vu all over again as only a few months ago malware laden chatbots brought breaches to Sears, Delta Airlines and Best Buy.
Lesson learned? Think carefully about installing 3rd party web services and giving them access to your cloud infrastructure until your security operations center team has a chance to thoroughly audit their security and evaluate the risk of integrating their services with your own critical cloud infrastructure. The cyberattackers compromising chatbots on Ticketmaster may have collected names, emails, payment details and other key login information.”
Tamulyn Takakura, Product Marketing Manager at Prevoty:
“The ticket distribution sector has had a tough month. Just 3 weeks earlier, Ticketfly announced a web application breach. Unlike the Ticketfly breach, Ticketmaster’s breach resulted from faulty external third-party software.
The reality is that all businesses today rely on a complex cyber supply chain — from free open source software (FOSS) to third-party components to commercial, off-the-shelf applications. Today, companies are forced to assume security risk from their suppliers, because it’s impractical to mandate a consistent level of security across an organization’s technology supply chain. Unlike the automotive industry, where there are only so many suppliers for vehicle parts, the application supply chain is fluid, and it isn’t always apparent who the supplier is.
The Ticketmaster breach emphasizes the need to employ attack-based security solutions, such as RASP, that bolts on to hard-to-secure applications, such as third-party and legacy apps, with no code changes. They run within application containers and block malicious attacks even when there are underlying vulnerabilities. With RASP, organizations can ensure a consistent level of security across their externally-sourced, third-party applications, so they can shift their focus on acquiring applications that make them most productive.”
Dr Guy Bunker, SVP of Products at Clearswift:
“This is the first major breach where GDPR shared responsibility come into play as it was the sub-contractor/data processor which had the leak and it highlights the importance of understanding the full information chain. In order to gain this overarching understanding, businesses should do an audit – or at least ask for a statement – on the information security which the other parties have in the chain – it might be that sub-contractors have sub-contractors, so this knowledge is essential. There also needs to be a complete understanding of what is being shared and why – in the past, organisations might ‘overshare’ because it was easier than creating the sub-set which was needed and hidden columns in spreadsheets was not uncommon.
“There are several ways the malware could have been installed in this case. Perhaps it was a badly patched system which meant there was a vulnerability which could be exploited, or there could have been a phishing attack with a weaponised document or a URL resulting in malware. Once inside the organisation, then the malware could readily spread.
“As with all data breaches, the first piece to have in place is a plan – and it looks like they have a plan, reporting within the required timeframe and working on finding the facts. Of course this is reacting after the horse has bolted and there needs to be other controls in place to create the best practice defence-in-depth approach.
“The first step is to prevent the bad stuff from coming in. This means ensuring that applications and the OS are suitably patched and having good ‘standard’ security controls in place such as intrusion detection or prevention on the network, anti-virus on email, web and the endpoint. Additional controls such as sandboxing, or structural sanitisation can be deployed to detect and mitigate the risk from weaponised documents. Ideally, a business will monitor inside the network for anomalous activity as well, whether this is on network traffic or applications, so they can identify any potential malicious activity across the network.
“Finally, it’s a case of preventing the good stuff from going out. Use a Data Loss Prevention (DLP) solution, or a next generation Adaptive DLP solution, to detect and remove sensitive information from being transmitted to unauthorised individuals. An Adaptive approach will ensure continuous collaboration is maintained without compromising information.
“Security is only as strong as the weakest link. If that weak link is one of the suppliers or partners then this will cause issues. Ensure that your suppliers, partners and all within the information chain, have at least as strong information security as yourself, or the consequences will be falling foul of GDPR and with it the potential for huge fines – not to mention the damage to the reputation and your customers who are only a click away from your competition.”
James Romer, Chief Security Architect at SecureAuth + Core Security:
“Third-party data breaches are a growing problem, and have been the source of a number of high-profile data leaks in recent years. In this case, it seems that a customer service chatbot was compromised by malware and exported UK customers’ data to an unknown third-party. Ticketmaster is just the latest victim of cyberattackers who exploit vulnerabilities within the supply chain to gain access to valuable information. The live event entertainment industry relies heavily on many small businesses working collaboratively, and their individual security is crucial because it’s not just one business’ most valuable information at risk.
“Customers who have had their details exposed are now the prime targets for identity theft and will need to practice continuous monitoring of their finances and vigilance to help mitigate the potential effects. This damage to consumer trust can be difficult to repair and businesses responsible for holding personal data need to do more to ensure that identities are protected, through layering security before the authentication phase. Most data breaches happen because of misused user credentials, so if businesses focus on getting the access and authentication part right for users, that’s half the battle.”
Martin Jartelius, CSO at Outpost24:
“In this case, an attacker has targeted one of their third-party services used on their websites, and thereby managed to target their customers and impact the service. Integrations and seamless inclusion of third party code into websites is an increasing trend, and this essentially means trusting other organizations to safeguard their systems and protect your users.
Organizations are using these codes for ad tracking, for tracking user experience and interactions and, as in this case, support services. By including code from other organizations servers (rather than hosting it yourself) you are exposed to vulnerabilities or risks that are out of your control. Trust is essential in a partnership, but control is even more important – ensure that when you secure your applications you demand the same from vendors you intend to integrate or work with.”
Ian Ashworth, Security Consultant at Synopsys:
“While I don’t have any specific information relating to this incident, it sounds like a typical data exfiltration technique to plant malware on a server that is acting as a genuine conduit between parties in an order management chain or payment process. Most of these would employ encryption to protect data end-to-end. However there could be weaknesses where one encryption link is translated to another for onwards transmission.
The server in question would capture information that is being legitimately presented by a customer for their ticket purchase etc. and the malware then silently transmits this on to another “host” for subsequently committing fraud.
Well maintained anti-virus and malware detection software running on these servers would hopefully detect the introduction of these type of malicious programs either from their code “signatures” or from their unusual/unexpected network connectivity. There is an increasing trend, however, in the development of fileless malware which try and hide themselves in the memory of the servers (RAM) rather than leave any footprints on disk drives which are swept for suspicious software. Malware can also be very cunning in shaping their own network data traffic to avoid intrusion detection systems. Other mitigation techniques exist which fall under the category of best practices (e.g. implementing the principle of least privilege and utilising sandboxes)
From a customer perspective, they will be totally unaware of the fraud until they or their payment provider detects potential anomalies on their own hosts relating suspicious retailer activities and pinpointing the likely source of the data fraud.”
Laurie Mercer, Solution Engineer at HackerOne:
“Ticketmaster should be congratulated for this textbook breach notification. The communication is clear and transparent and informative. This breach highlights how important it is to ensure the same security standards are followed across the software supply chain.
Security does not stop in your Software Development Lifecycle, it must extend through your software supply chain. To best protect customer data, organizations need to run thorough security vendor assessments and partner with brands that take security as seriously as they do.”
Chris O’Brien, Director Intelligence Operations at EclecticIQ:
“The news that the Ticketmaster breach was down to issues with a third-party supplier is worrying, but unfortunately no longer rare. The flexibility offered by the modern business landscape has led to the use of third parties becoming prolific. However, while these working relationships may be beneficial for those involved, the threat of external suppliers in the supply chain being compromised is increasing.
“We are moving towards a world where the suppliers who provide detailed security implementations and can demonstrate practical implementation of security standards will be in a better position than their competitors. Ensuring there isn’t a weak link in a supply chain is fundamental, but simply having an accreditation will soon not be enough to build trust between third parties and their partners. With the constantly evolving threat landscape making it difficult for organisation to know what to protect themselves against, it’s more important than ever that businesses and their suppliers work collaboratively in order to stand a chance of getting one step ahead of the bad guys.”
Tony Pepper, CEO and Co-Founder at Egress:
“There are going to be a few eyebrows raised this morning about this breach and when Ticketmaster really discovered it. Clearly data was at risk for some time and apparently, Ticketmaster had been alerted to the issue but didn’t heed those warnings. It is going to be interesting to see how the ICO reacts when they get to the bottom of this, given the emphasis now placed on data breach reporting and reflected in the changes made under the GDPR.
“Data breaches are now a common risk of doing business today, and organisations need to be responsible in how they deal with the situation – from doing everything reasonable to prevent a breach through to reporting incidents and mitigating their effects should the worst happen. If Monzo’s warnings had been acknowledged, then potentially far fewer customers would have been impacted. Hopefully, this will act as a warning to other businesses to ensure appropriate action can be taken should something go wrong.”
Steve Schult, Sr. Director Product Management at LastPass:
“When users change their Ticketmaster password it’s important they select a unique, strong password that hasn’t been used on other online accounts.
Ideally the password should have a mix of characters (uppercase, lowercase, symbols, and numbers), avoid words straight out of the dictionary, and be as long as possible – ideally no shorter than 14 characters. The longer the password is, the harder it becomes to crack, or brute-force attack which simply means it takes longer for a computer to correctly guess it.
Memorising complex, unique passwords for every online account is nearly impossible and can result in users cutting corners at the expense of their own security. Thankfully there’s technology available that can make managing your passwords easier and more secure. By using password managers, remembering more than one password should be a thing of the past. All the work is done for you, and it’s the easiest way to ensure your accounts are secure and protected.
Multi-factor authentication is also a great way of adding an extra layer of security to your accounts, as an additional piece of information will be required (such as a one-time code or finer print) before access is granted. This ensures an attacker won’t be able to gain entry into an account even if they do obtain the password.”
Paul German, CEO at Certes Networks:
“It isn’t as though the IT industry needed yet another example of how current the cybersecurity model / mindset is broken. So how many more high profile and high impact cases are we going to see before the industry takes action?
It should by now be very clear that a continued focus on trying to secure corporate infrastructure is a fallacy. In fact, security and network infrastructure serve two entirely different purposes; the former serves – or should serve – to protect data, the latter facilitates connectivity. To have both falls under the domain of the CIO is a set-up that is only going to fail, as we are seeing time and again.
Network infrastructure and security must be decoupled. Organisations need to start thinking about security as an overlay on top of existing infrastructure. They also need to introduce a software-defined approach to their security posture which enables centralised orchestration of security policy to enforce capabilities such as software-defined application access control, data in motion privacy and segmentation and a software-defined perimeter, which most importantly uses cryptography to restrict hackers from moving freely between segments once a breach has occurred. And finally, they need to consider innovative approaches such as Layer 4 encryption which renders the data itself useless, and therefore worthless to hackers, without impacting the operational visibility of the enterprise network and data flows.
The industry has overcomplicated network security and has fundamentally failed. It’s time for a new, simpler software-defined security overlay approach.”
Gary Cox, Technology Director, Western Europe at Infoblox:
“This news is a stark reminder for all businesses that they cannot be complacent about cybersecurity. With the latest figures showing that 92% of all malware uses DNS to gain control, redirect traffic and infiltrate data, organisations must ensure they are regularly conducting reviews of their cybersecurity strategies, and bring suppliers and partners into their business and networks to ensure an equally high level of diligence on all connections, apps and services.
“With more and more 3rd party systems available, it’s essential that regular reviews and checks happen, to ensure the rapidly growing cyber threat landscape is minimised. Organisations need to make sure they have a proactive strategy in place, moving from defensive strategies to offensive; from detection to prevention. Technologies like machine learning can help identify potential risks and threats, and make it easier for organisations to spot any unusual activity on their networks as soon as it appears. Approaches like this can help ensure that organisations become as agile and as fast as the cybercriminals we are fighting against.”
Peter Carlisle, VP EMEA at Thales eSecurity:
“Can it be that we are seeing another major UK company admitting a breach, so soon after Dixons Carphone? As sophisticated and well-funded threat actors adapt quickly to new security measures, trying to protect customer data has become an exhausting process. But, the best defence in cybersecurity is a proactive one. It’s simply not acceptable that any organisation, especially one of this size, was not protecting all of its data, so that it was secured against any kind of attack, even one via third party software.
To protect customers, and their valuable personal data, businesses must have complete visibility and control over exactly where their data resides, and adopt an encrypt-everything approach. Cyber criminals are getting smarter, better and faster, and this is just another name on the long list high profile victims.
With the GDPR in full force, it’s no longer just a lack of customer trust and a tarnished reputation organisations need to be worried about. The risk of weighty financial penalties mean the perils of a data breach just got a lot more serious.”
Paul Cant, VP EMEA at BMC Software:
“Another day, another breach! It has been some time since we’ve seen a series of big names in the cyber security firing line, but with the number of multi-cloud environments and IoT devices continuing to rise, we are going to see more and more. Although we know there are many risk vectors, organisations have to be sure they are secured. With GDPR penalties looming large, organisations simply cannot afford to leave cybersecurity as an afterthought.
Only by relentlessly examining internal processes can companies discover how their systems storing data are configured, how they’re connected, where any vulnerabilities sit – including through third party software and services – and then piece together a plan to remediate those vulnerabilities and correct them – keeping the personal data of their customers secure.”
Rodney Joffe, SVP and Fellow at Neustar:
“With another organisation falling victim to the threat of hackers, this latest security breach is a further reminder that strategies must be put in place to proactively manage cyber-attacks.
“Increasingly, attackers are finding new and innovative ways to breach web perimeters – from web application and DDoS attacks to ransomware. Installing a Web Application Firewall (WAF) is crucial for preventing third parties like these from accessing a website and stealing customers’ sensitive and personal information. And with legislation such as GDPR in play, it is as important as ever that a unified 24/7 Security Operation Centre, including a user interface with real-time monitoring and reporting, is already in place.
“Cyber-danger is real and, in times like these, it is critical that security is kept at the heart of all operations.”
Allen Scott, Consumer EMEA Director at McAfee:
“Monzo’s quick identification of, and response to, the Ticketmaster data breach is a great example that every financial institution and online service should look to mirror. Like so many businesses who fall victim to data breaches, Ticketmaster has been slow to respond and put right this wrong. To win the battle against online fraud, we need businesses to join forces and support one another in identifying and responding to security threats.
“For any Ticketmaster customers concerned about the security of their personal information, there’s a few simple steps they should take immediately. Firstly, they should change their passwords straight away. We know it’s hard to remember all your passwords but using a password generator and manager can help solve this problem and ensure you don’t become an easy target.
“Do not click on any links or open attachments you receive via email from Ticketmaster. Hackers will be eager to ride this wave by targeting customers with phishing emails. Clicking on links or attachments in these emails can lead to your devices becoming infected with malicious malware that enables hackers to get their hands on your personal and financial information. If you’re worried you may have fallen victim, search for Ticketmaster online and get in contact directly; don’t wait for Ticketmaster to come to you.
“Finally, if you notice suspicious activity in your bank statements, contact your bank straight away to request a new card and highlight the fraudulent activity.”
