Question marks have been raised over Ticketmaster’s internal security and incident response processes after a bank revealed that it alerted the ticketing giant to a recently discovered breach in April.
Mobile banking start-up Monzo claimed in a blog post on Thursday that around 50 customers contacted the firm on April 6 after spotting fraudulent activity on their account.
“After investigating, our Financial Crime and Security team noticed a pattern: 70% of the customers affected had used their cards with the same online merchant between December of last year and April this year,” explained head of financial crime at Monzo, Natasha Vernier. “That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster.”
She claimed that over the next few days more fraudulent transactions were attempted on cards which had previously been used at Ticketmaster.
It notified the ticketing giant on April 12 but the fraud attempts kept on coming and eventually Monzo was forced to ask Mastercard directly to proactively replace every one of its customers’ cards that had been used at Ticketmaster, so confident was the firm that a breach had taken place.
“Throughout this period we were in direct contact with Ticketmaster,” explained Vernier.
“On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”
Ticketmaster finally revealed a breach had indeed taken place at the firm, affecting less than 5% of its global customer base, earlier this week. It claimed to have discovered malware on June 23 — over a month after Monzo first notified it.
Even more bad news for the ticketing giant came from Inbenta Technologies, the third-party supplier who hosted the “customer support product” where the malware was found.
It explained in a new note that the source of the breach was a single piece of JavaScript code customized by Inbenta for Ticketmaster, but implemented by the ticket firm in an insecure manner.
“After a careful analysis of all clues and snapshots from our systems, the technical team at Inbenta discovered that the script had been implemented on the payment page,” the firm claimed. “We were unaware of this, and would have advised against doing so had we known, as it presents a point of vulnerability.”
Allen Scott, consumer EMEA director at McAfee, claimed all stakeholders in the digital supply chain need to work together more closely to prevent security and fraud incidents.
“Monzo’s quick identification of, and response to, the Ticketmaster data breach is a great example that every financial institution and online service should look to mirror,” he added.
“Like so many businesses who fall victim to data breaches, Ticketmaster has been slow to respond and put right this wrong. To win the battle against online fraud, we need businesses to join forces and support one another in identifying and responding to security threats.”
It remains to be seen whether the firm will be investigated under the new GDPR, given that the initial incident now appears to have happened before May 25, although there are strict rules around 72-hour breach disclosure.