Ticketing giant knew about spike in fraud months before cyber-attack was discovered

Digital bank Monzo has claimed it warned Ticketmaster about increased fraud on customer accounts months before a huge data breach was reported.

A leak affecting 40,000 customers was discovered on Tuesday, after attackers accessed information via a third-party product on the website.

But Monzo said today an internal investigation by Ticketmaster in April ruled that systems were secure.

The bank said it contacted Ticketmaster in April to inform them of a spike in fraud on some customer accounts.

It sent out 6,000 replacement cards to customers who had purchased tickets through the affected website, after seeing a pattern of fraudulent activity.

But Ticketmaster claimed it saw “no evidence” of a breach.

Natasha Vernier, head of financial crime at Monzo, said: “On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”

She added: “It’s incredibly important that companies always work together to protect customers and we'll always work hard to make sure this is the case.”

Data was stolen from systems when malicious actors leveraged a vulnerability in the JavaScript code for a chat support feature.

The automated chat support, provided by Inbenta Technologies, had been “customized” for Ticketmaster, according to Inbenta.

This script was located and modified by malicious actors who used it to extract payment information of customers.

Only customers who purchased or attempted to purchase tickets between February and June 2018 were affected.

An email was sent to potential victims which read: “Ticketmaster understands the importance of your personal information. We take the protection of that information very seriously and we are very sorry to have to write to you in these circumstances.”

Ticketmaster has been keen to stress that the vulnerability was in the coding provided by Inbenta, which created the chatbot feature.

However Inbenta has also said it didn’t know Ticketmaster was using the AI tech for payments – claiming that it would have advised against doing so.

The vulnerability has now been resolved and Ticketmaster said it has notified the Information Commissioner’s Office (ICO), as well as the National Cyber Security Centre (NCSC).

The NCSC said it is “working with our partners to better understand the incident” while the ICO told The Daily Swig: “We have been made aware of an issue concerning Ticketmaster and will be making enquiries.”

“We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”

Security in the supply chain

Ticketmaster responded quickly to the breach, which was discovered on June 26, possibly in a bid to ensure it was GDPR compliant.

But despite a well-managed response by the vendor, this data breach has once again highlighted the importance of ensuring security is tight at all levels of the supply chain.

Joseph Carson, chief security scientist at Thycotic, said that while companies are busy being lured in with the latest technology buzzwords, they are ignoring the need for robust security across all systems.

He told The Daily Swig: “Guaranteeing your supply chain is protecting and securing their products and solutions can longer be ignored.

“Many companies are using chat bots to help automate their customer experiences, having been lured into fancy buzzwords like machine learning, artificial intelligence and virtual assistance.

“Cybercriminals will always target the weakest link and, in this particular case, I believe this breach is worse than what we know so far.”

Last year, a cloud storage leak which exposed ‘virtually every US household’ also raised concerns over security risks when outsourcing to third-party companies.

A vast database containing sensitive personal information on more than 123 million American households was left on a publicly exposed Amazon S3 cloud storage bucket belonging to Alteryx, a California-based data analytics firm, which was configured via permission settings to allow any AWS account holder to download its contents.

Stored information included Experian customers’ details and data from the US Census Bureau.

Dan O’Sullivan, a cyber resilience analyst, from UpGuard, which discovered the issue, said at the time: “The exposure of massive amounts of data about many millions of American households gathered by a credit reporting agency reveals how the consequences of cyber insecurity can, in an increasingly interdependent technological environment, quickly afflict partners and expose their data as well.”

The Ticketmaster breach comes less than a month after US ticketing giant Ticketfly was targeted in a cyber-attack which leaked 26 million customer records online.

Ticketfly’s website was taken offline after it was defaced by malicious actors who wrote on the homepage: ‘Ticketfly HacKed By IsHaKdZ’ and ‘Your Security Down im Not Sorry’ [sic].