Looks Like Ticketmaster's Data Breach Was Worse Than We Thought…

Looks Like Ticketmaster's Data Breach Was Worse Than We Thought...

The Ticketmaster attack was apparently only the ‘tip’ of the iceberg, according to cyber-security firm RiskIQ.

Several weeks ago, Ticketmaster UK revealed that malicious code in software provided by Inbenta – a third-party supplier – led to a data breach.  According to the ticketing giant, less than 5% of its global customer base was affected.

That may be a vast understatement.

Magecart, a sophisticated hacking collective, was behind the attack.  The group, previously known for hacking websites directly, has now shifted to attacking third-party software components.

Researchers at RiskIQ, a cyber-security company, found Magecart breached two third-party suppliers integrated with Ticketmaster sites – Inbenta and SocialPlus.  The hacking collective added to and replaced custom JavaScript code with digital credit card skimmers.  Malicious scripts injected into the ticketing giant’s websites could then record credit card payment details entered by customers.

Yonathan Klijnsma and Jordan Herman, researchers at RiskIQ, published their assessment on Magecart’s attacks.  They found the group hadn’t only targeted Ticketmaster.

RiskIQ has tracked Magecart’s activities since 2015.  The group’s credit card hacks have only increased in sophistication, frequency, and impact.

Affected suppliers in Magecart’s recent campaign – dubbed Serverside – include PushAssist, CMS Clarity Connect, and Annex Cloud, among many others.

The ticketing giant has now confirmed the data breach affected Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb from February 2018 through June 23rd, 2018.  According to RiskIQ, however, attacks on the ticketing giant’s additional websites – Ireland, Turkey, and New Zealand, for example – started as early as December 2017.

Researchers also found a ‘Command and Control’ server used in the Ticketmaster attack has remained active since December 2016.