Online bank Monzo said it warned Ticketmaster that something weird was going on in early April, two months before the ticket-slinging giant revealed its payment pages had been hacked.
Monzo detected an abnormal number of customers who had both bought tickets from Ticketmaster since December and had fraudulent activity on their cards, leading staff to believe the two were related. On April 12, Ticketmaster staff visited the startup bank's offices to see the evidence, we learned on Thursday this week.
According to Monzo, 50 customers had complained on April 6 that someone had hijacked their bank cards and spent their money – and 35 of them, or 70 per cent – had used Ticketmaster.
"This seemed unusual, as overall only 0.8 per cent of all our customers had used Ticketmaster," Natasha Vernier, Monzo's head of financial crime, said. A week later, on April 19, Ticketmaster told the upstart bank that, in Vernier's words, "an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns."
Fast forward to June 27, this week, and Ticketmaster admitted hackers gained access to the personal details and sensitive payment card information of up to five percent of its customer base.
When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf. In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.
Ticketmaster gatecrash: Gig revelers' personal, payment info glimpsed by support site malwareREAD MORE
"Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability," Inbenta CEO Jordi Torras said in a statement.
We're told crooks modified this script code, hosted on Inbenta's servers, "to extract the payment information of Ticketmaster customers," said Torras.
UK customers who bought, or tried to buy, a ticket from Ticketmaster between February and June 23 this year, and international customers who flashed the plastic from September 2017 to earlier this week, were at risk. As many as 40,000 Brits had their details slurped.
If Monzo’s warnings had been fully followed up, fewer customers would have been impacted, said Tony Pepper, chief exec of data security outfit Egress.
“There are going to be a few eyebrows raised this morning about this breach and when Ticketmaster really discovered it,” Pepper said.
“Clearly data was at risk for some time and apparently, Ticketmaster had been alerted to the issue but didn’t heed those warnings. It is going to be interesting to see how the ICO reacts when they get to the bottom of this, given the emphasis now placed on data breach reporting and reflected in the changes made under the GDPR.”
Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, commented: "Hackers have, for years, used vulnerabilities in websites and other connected applications as a point of breach. Once through, it is only a hop, skip and jump into databases, web servers and other crucial infrastructure. It looks like that is exactly what has happened to Ticketmaster – and it’s the customers who pay."
The Ticketmaster cyber-break-in is the first major computer security breach since Europe's GDPR came into effect on May 25, so close attention will be paid on whether Ticketmaster complied with the regulation relating to breach notification and adequate security. ®