Ticketmaster suffered a security breach believe to affect up to 40,000 UK customers. In tweet, firm confirmed that third-party customer support product Inbenta Technologies caused the hack and all affected customers have been contacted. IT security experts commented below.
Pravin Kothari, CEO at CipherCloud:
Lesson learned? Think carefully about installing 3rd party web services and giving them access to your cloud infrastructure until your security operations center team has a chance to thoroughly audit their security and evaluate the risk of integrating their services with your own critical cloud infrastructure. The cyberattackers compromising chatbots on Ticketmaster may have collected names, emails, payment details and other key login information.”
Tamulyn Takakura, Product Marketing Manager at Prevoty:
The reality is that all businesses today rely on a complex cyber supply chain — from free open source software (FOSS) to third-party components to commercial, off-the-shelf applications. Today, companies are forced to assume security risk from their suppliers, because it’s impractical to mandate a consistent level of security across an organization’s technology supply chain. Unlike the automotive industry, where there are only so many suppliers for vehicle parts, the application supply chain is fluid, and it isn’t always apparent who the supplier is.
The Ticketmaster breach emphasizes the need to employ attack-based security solutions, such as RASP, that bolts on to hard-to-secure applications, such as third-party and legacy apps, with no code changes. They run within application containers and block malicious attacks even when there are underlying vulnerabilities. With RASP, organizations can ensure a consistent level of security across their externally-sourced, third-party applications, so they can shift their focus on acquiring applications that make them most productive.”
Dr Guy Bunker, SVP of Products at Clearswift:
“There are several ways the malware could have been installed in this case. Perhaps it was a badly patched system which meant there was a vulnerability which could be exploited, or there could have been a phishing attack with a weaponised document or a URL resulting in malware. Once inside the organisation, then the malware could readily spread.
“As with all data breaches, the first piece to have in place is a plan – and it looks like they have a plan, reporting within the required timeframe and working on finding the facts. Of course this is reacting after the horse has bolted and there needs to be other controls in place to create the best practice defence-in-depth approach.
“The first step is to prevent the bad stuff from coming in. This means ensuring that applications and the OS are suitably patched and having good ‘standard’ security controls in place such as intrusion detection or prevention on the network, anti-virus on email, web and the endpoint. Additional controls such as sandboxing, or structural sanitisation can be deployed to detect and mitigate the risk from weaponised documents. Ideally, a business will monitor inside the network for anomalous activity as well, whether this is on network traffic or applications, so they can identify any potential malicious activity across the network.
“Finally, it’s a case of preventing the good stuff from going out. Use a Data Loss Prevention (DLP) solution, or a next generation Adaptive DLP solution, to detect and remove sensitive information from being transmitted to unauthorised individuals. An Adaptive approach will ensure continuous collaboration is maintained without compromising information.
“Security is only as strong as the weakest link. If that weak link is one of the suppliers or partners then this will cause issues. Ensure that your suppliers, partners and all within the information chain, have at least as strong information security as yourself, or the consequences will be falling foul of GDPR and with it the potential for huge fines – not to mention the damage to the reputation and your customers who are only a click away from your competition.”
James Romer, Chief Security Architect at SecureAuth + Core Security:
“Customers who have had their details exposed are now the prime targets for identity theft and will need to practice continuous monitoring of their finances and vigilance to help mitigate the potential effects. This damage to consumer trust can be difficult to repair and businesses responsible for holding personal data need to do more to ensure that identities are protected, through layering security before the authentication phase. Most data breaches happen because of misused user credentials, so if businesses focus on getting the access and authentication part right for users, that’s half the battle.”
Martin Jartelius, CSO at Outpost24:
Organizations are using these codes for ad tracking, for tracking user experience and interactions and, as in this case, support services. By including code from other organizations servers (rather than hosting it yourself) you are exposed to vulnerabilities or risks that are out of your control. Trust is essential in a partnership, but control is even more important – ensure that when you secure your applications you demand the same from vendors you intend to integrate or work with.”
Ian Ashworth, Security Consultant at Synopsys:
The server in question would capture information that is being legitimately presented by a customer for their ticket purchase etc. and the malware then silently transmits this on to another “host” for subsequently committing fraud.
Well maintained anti-virus and malware detection software running on these servers would hopefully detect the introduction of these type of malicious programs either from their code “signatures” or from their unusual/unexpected network connectivity. There is an increasing trend, however, in the development of fileless malware which try and hide themselves in the memory of the servers (RAM) rather than leave any footprints on disk drives which are swept for suspicious software. Malware can also be very cunning in shaping their own network data traffic to avoid intrusion detection systems. Other mitigation techniques exist which fall under the category of best practices (e.g. implementing the principle of least privilege and utilising sandboxes)
From a customer perspective, they will be totally unaware of the fraud until they or their payment provider detects potential anomalies on their own hosts relating suspicious retailer activities and pinpointing the likely source of the data fraud.”
Laurie Mercer, Solution Engineer at HackerOne:
Security does not stop in your Software Development Lifecycle, it must extend through your software supply chain. To best protect customer data, organizations need to run thorough security vendor assessments and partner with brands that take security as seriously as they do.”
Chris O’Brien, Director Intelligence Operations at EclecticIQ:
“We are moving towards a world where the suppliers who provide detailed security implementations and can demonstrate practical implementation of security standards will be in a better position than their competitors. Ensuring there isn’t a weak link in a supply chain is fundamental, but simply having an accreditation will soon not be enough to build trust between third parties and their partners. With the constantly evolving threat landscape making it difficult for organisation to know what to protect themselves against, it’s more important than ever that businesses and their suppliers work collaboratively in order to stand a chance of getting one step ahead of the bad guys.”
Tony Pepper, CEO and Co-Founder at Egress:
“Data breaches are now a common risk of doing business today, and organisations need to be responsible in how they deal with the situation – from doing everything reasonable to prevent a breach through to reporting incidents and mitigating their effects should the worst happen. If Monzo’s warnings had been acknowledged, then potentially far fewer customers would have been impacted. Hopefully, this will act as a warning to other businesses to ensure appropriate action can be taken should something go wrong.”
Steve Schult, Sr. Director Product Management at LastPass:
Ideally the password should have a mix of characters (uppercase, lowercase, symbols, and numbers), avoid words straight out of the dictionary, and be as long as possible – ideally no shorter than 14 characters. The longer the password is, the harder it becomes to crack, or brute-force attack which simply means it takes longer for a computer to correctly guess it.
Memorising complex, unique passwords for every online account is nearly impossible and can result in users cutting corners at the expense of their own security. Thankfully there’s technology available that can make managing your passwords easier and more secure. By using password managers, remembering more than one password should be a thing of the past. All the work is done for you, and it’s the easiest way to ensure your accounts are secure and protected.
Multi-factor authentication is also a great way of adding an extra layer of security to your accounts, as an additional piece of information will be required (such as a one-time code or finer print) before access is granted. This ensures an attacker won’t be able to gain entry into an account even if they do obtain the password.”
Paul German, CEO at Certes Networks:
It should by now be very clear that a continued focus on trying to secure corporate infrastructure is a fallacy. In fact, security and network infrastructure serve two entirely different purposes; the former serves – or should serve – to protect data, the latter facilitates connectivity. To have both falls under the domain of the CIO is a set-up that is only going to fail, as we are seeing time and again.
Network infrastructure and security must be decoupled. Organisations need to start thinking about security as an overlay on top of existing infrastructure. They also need to introduce a software-defined approach to their security posture which enables centralised orchestration of security policy to enforce capabilities such as software-defined application access control, data in motion privacy and segmentation and a software-defined perimeter, which most importantly uses cryptography to restrict hackers from moving freely between segments once a breach has occurred. And finally, they need to consider innovative approaches such as Layer 4 encryption which renders the data itself useless, and therefore worthless to hackers, without impacting the operational visibility of the enterprise network and data flows.
The industry has overcomplicated network security and has fundamentally failed. It’s time for a new, simpler software-defined security overlay approach.”
Gary Cox, Technology Director, Western Europe at Infoblox:
“With more and more 3rd party systems available, it’s essential that regular reviews and checks happen, to ensure the rapidly growing cyber threat landscape is minimised. Organisations need to make sure they have a proactive strategy in place, moving from defensive strategies to offensive; from detection to prevention. Technologies like machine learning can help identify potential risks and threats, and make it easier for organisations to spot any unusual activity on their networks as soon as it appears. Approaches like this can help ensure that organisations become as agile and as fast as the cybercriminals we are fighting against.”
Peter Carlisle, VP EMEA at Thales eSecurity:
To protect customers, and their valuable personal data, businesses must have complete visibility and control over exactly where their data resides, and adopt an encrypt-everything approach. Cyber criminals are getting smarter, better and faster, and this is just another name on the long list high profile victims.
With the GDPR in full force, it’s no longer just a lack of customer trust and a tarnished reputation organisations need to be worried about. The risk of weighty financial penalties mean the perils of a data breach just got a lot more serious.”
Paul Cant, VP EMEA at BMC Software:
Only by relentlessly examining internal processes can companies discover how their systems storing data are configured, how they’re connected, where any vulnerabilities sit – including through third party software and services – and then piece together a plan to remediate those vulnerabilities and correct them – keeping the personal data of their customers secure.”
Rodney Joffe, SVP and Fellow at Neustar:
“Increasingly, attackers are finding new and innovative ways to breach web perimeters – from web application and DDoS attacks to ransomware. Installing a Web Application Firewall (WAF) is crucial for preventing third parties like these from accessing a website and stealing customers’ sensitive and personal information. And with legislation such as GDPR in play, it is as important as ever that a unified 24/7 Security Operation Centre, including a user interface with real-time monitoring and reporting, is already in place.
“Cyber-danger is real and, in times like these, it is critical that security is kept at the heart of all operations.”
Allen Scott, Consumer EMEA Director at McAfee:
“For any Ticketmaster customers concerned about the security of their personal information, there’s a few simple steps they should take immediately. Firstly, they should change their passwords straight away. We know it’s hard to remember all your passwords but using a password generator and manager can help solve this problem and ensure you don’t become an easy target.
“Do not click on any links or open attachments you receive via email from Ticketmaster. Hackers will be eager to ride this wave by targeting customers with phishing emails. Clicking on links or attachments in these emails can lead to your devices becoming infected with malicious malware that enables hackers to get their hands on your personal and financial information. If you’re worried you may have fallen victim, search for Ticketmaster online and get in contact directly; don’t wait for Ticketmaster to come to you.
“Finally, if you notice suspicious activity in your bank statements, contact your bank straight away to request a new card and highlight the fraudulent activity.”