Yesterday news broke that Tickemaster has been hit by a major breach affecting customers who made – or tried to make – recent purchases on the site. The Ticketmaster breach is thought to have compromised payment and other personal data for tens of thousands – and possibly even millions – of customers.
The breach, which impacted UK customers who used the site between February and 23rd June 2018 and international customers between September 2017 and 23d June 2018, may become the first major breach to be dealt with under GDPR.
The Ticketmaster breach could therefore be extremely costly for the ticket retailer. But for other companies, it should be a reminder of an increasingly common issue: the insecurity of third-party software.
This is because the breach occurred because of a third-party plugin that became infected with malware. Also known as a supply chain attack, these types of attacks are behind some of the biggest breaches of the last few years, including the 2014 Target breach and the more recent Equifax breach.
“The interesting thing about this attack on Ticketmaster was that it was another supply chain attack,” said Etienne Greeff, CTO and co-founder, SecureData.
“Here, Ticketmaster was using a plugin form a third-party supplier on their website which was compromised. NotPetya demonstrated the potential these kinds of attacks have, and yet they are still happening. Simply put, business needs to step up its game.”
Third-party software: the security dangers of plugins
Designed to plug gaps in software’s capabilities, plugins are incredibly widespread, practical solutions to a host of issues. However, what they are often not great at is security, which is why we have seen so many third-party software-associated breaches.
“We have already see this: the ICO and their text to speech plugin, national newspapers and property plugins, and we will undoubtedly see more of this in the future,” added Greeff.
“So how can businesses combat it? A good start would be to stop focusing on knowing thy enemy and start to work on knowing thyself – and I mean really know thyself. Know your entire attack surface, know your risk model, and understand which risk external parties may introduce if using their plugins. Here the risk was added on using external parties hosting customer support software.”
So far it is clear that the string of breaches has not pursaded companies to take adequate action – but if they want to avoid being stung by GDPR, now is the time to sure-up their supply chain security.
“The Ticketmaster data breach, assumedly caused by malware on the systems of third-party supplier Ibenta, illustrates how vitally important it is for companies to not only step up the security measures to protect personal data, but also to be fast and efficient when it comes to notifying authorities and impacted customers,” said Sven Dummer, director at Janrain.
What to do if you are affected by the Ticketmaster breach – and what you should do even if you aren’t
If you are among those impacted by the Ticketmaster breach, you should ensure you change the password for your account – and any others with the same login details. You should also keep close checks on your financial activity to ensure your payment details aren’t being misused.
However, for everyone, this is an opportunity to review your online security – because if you haven’t been impacted by a breach yet, there is a good chance you will be eventually.
“From a user’s perspective, consumers should also appreciate that when you connect to a website, you have code running from a number of organisations on your web browser – as such you shouldn’t store personal details in the open in text files or even in documents on your device,” explained Greeff.
“Instead think of using password vaults to store personal information and bank details. Ultimately however, all consumers should assume that at some stage there may be an issue with their details, so having monitoring in place to monitor credit history and financial activity on the web is advisable.”
“Although only around 40,000 Ticketmaster accounts may have been compromised, password hygiene shouldn’t just be those affected’s concern,” added Emmanuel Schalit, CEO, Dashlane.
“All users should take this opportunity also make sure all of their passwords are strong across all of their accounts, not just Ticketmaster. In practice the ideal password is one that is a unique and random string of letters and numbers that can be randomly and securely generated.
“As demonstrated here, breaches often go undetected for months, so you never know when your account may have been exposed and your information vulnerable – password hygiene is not just for breaches.”