Perils of Insecure Code: Ticketmaster UK Compromise
For consumers, ease of use in the user experience (EX) is paramount. This aspect of daily life draws consumers to the service. One aspect involves entertainment and recreation. To attend certain events, a ticket for entrance is required. One service to purchase this from is Ticketmaster, which is an online option. Ticketmaster, as with many of the other organizations within this field, is multinational. Within the UK arm of Ticketmaster, there was a recently detected issue.
Affected Parties
As this organization is so large, a mass number of clients were affected. There were an estimated 40K clients who purchased tickets within the exposure period ending June 23, 2018. The exposure was through Ticketmaster and other websites owned by Ticketmaster, which were Ticketweb and Get Me In!. The affected may unfortunately become victims of identity theft, and fraudulent use of their credit cards.
Compromise
This was not a quick operation with the attackers breaching the organization for notoriety. The breach and subsequent compromise occurred over several months. This period is estimated from September 2017 to June 23, 2018. The organization was notified of the breach in April 2018. The issue was disclosed on June 23, 2018.
From this issue, the client’s personal data was exfiltrated. This included the client’s name, addresses, phone numbers, payment data, logins for Ticketmaster, and password. The attackers are still unknown.
The organization should have known there was an issue from the various indicators. The InfoSec team should have noticed something was not correct when the logs were reviewed. What actually brought this to the attention of Ticketmaster was an increase in fraud complaints.
The cause of this issue was from a simply copy/paste. Ticketmaster recycled code from one of their contractors, Ibenta. The code was originally used in a chat function. This was not coded in a secure manner, but with functionality in mind. With this code, the attackers were able to monitor the data inflow from the client’s orders. The Javascript used for the payment page, thus was not coded for this function. Although the intention was economical, security was not focused on in the SDLC.
Handling
The issue was not handled exceptionally well. Generally, the entity should embrace the best practice of urgency, transparency, and empathy. Ticketmaster was notified of the breach and elected not to act on it for a month. Ticketmaster did eventually warn the affected customers. The primary recommendation was for the clients to reset their passwords. The company should have recognized if a mistake is made, own it, and accept the responsibility. The responsibility should not have been shifted to third parties. In this case, Ticketmaster attempted too push the blame onto the contractor, since this was originally their code.
Lessons Learned
Any entity should be open and honest when there is a breach. In the long run this may work to minimize the potential exposure and effects. The code was for the application and should have be secure. Finally, the lesson learned is that any organization with ties to the Internet is vulnerable...a lesson that by this time all organizations should have learned. Resources
CISOMAG. (2018, June 28). Ticketmaster hacked, payment information of several customers may have been compromised. Retrieved from https://www.cisomag.com/ticketmaster-hacked-payment-information-of-several-customers-may-have-been-compromised/
Freedman, L.F. (2018, July 5). Ticketmaster hit with malware compromising UK customer’s data. Retrieved from https://www.dataprivacyandsecurityinsider.com/2018/07/ticketmaster-hit-with-malware-compromising-uk-customers-data/
Levin, A. (2018, June 28). Why the ticketmaster UK breach could happen to your organization. Retrieved from https://adamlevin.com/2018/06/28/ticketmaster-uk-breach/
Ticketmaster. (2018). Information about data security incident by third party supplier. Retrieved from https://security.ticketmaster.co.uk/
Townsend, K. (2018, June 28). Ticketmaster blames third party over data breach. Retrieved from https://www.securityweek.com/ticketmaster-blames-third-party-over-data-breach
Whittaker, Z. (2018, June 28). Inbenta, blamed for ticketmaster breach, admits it was hacked. Retrieved from https://www.zdnet.com/article/inbenta-blamed-for-ticketmaster-breach-says-other-sites-not-affected/
Zhou, M. (2018, June 28). Ticketmaster says credit card data may have been stolen in UK breach. Retrieved from https://www.cnet.com/news/ticketmaster-hit-by-data-breach-in-the-uk/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.