Ticketmaster Breach Traces to Embedded Chatbot Software
Hacker Modified JavaScript Chatbot to Scrape Customers' Card Payment Details
Ticketmaster is warning customers that it suffered a data breach that exposed payment card data.
The ticket sales and distribution giant, which is part of Live Nation Entertainment, says that on Saturday, it discovered that automated customer support chatbot software from Inbenta Technologies that runs on multiple Ticketmaster websites was hacked and used to steal an unspecified amount of payment card data.
"As a result of Inbenta's product running on Ticketmaster International websites, some of our customers' personal or payment information may have been accessed by an unknown third party," Ticketmaster says in its data breach notification to customers.
"As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites," it adds.
The affected websites were Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb.
Inbenta has confirmed the breach, but suggested that Ticketmaster should not have been using its JavaScript chatbot software on a card payment page.
Breach May Have Begun in September 2017
Ticketmaster has not specified precisely how many customers were affected or payment cards might have been compromised before it mitigated the problem on Saturday. But it says that any U.K. users who bought a ticket from February onwards might have been affected, and says that international users may have been affected since September 2017.
"Less than 5 percent of our global customer base has been affected by this incident," Ticketmaster says. On its website, however, the company claims to serve "over 230 million customers per year" - of which 5 percent would be 11.5 million.
"Customers in North America have not been affected," Ticketmaster says.
In 2017, Ticketmaster's platform handled $30 billion in ticket sales, earning $2.1 billion in revenue for Live Nation, which is based in Beverly Hills, California.
Live Nation's most recent 10-K filing with the U.S. Securities and Exchange Commission does not mention information security or cybersecurity as posing a potential risk to the publicly traded company or its operations.
Inbenta Blames Ticketmaster
Inbenta Technologies has confirmed that its technology was involved in the breach and fixed the underlying vulnerability on Tuesday. But in the bigger picture, the company appears to blame Ticketmaster for the circumstances that led to the breach.
"Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements. This code is not part of any of Inbenta's products or present in any of our other implementations," Inbenta Technologies CEO Jordia Torras writes in the company's data breach notification.
"Ticketmaster directly applied the script to its payments page, without notifying our team," Torras says. "Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018."
Torras added: "We're truly sorry that the use of our technology resulted in a violation of Ticketmaster users' privacy."
Mikko Hypponen, chief research officer at Finnish anti-virus firm F-Secure, noted that the presence of the chatbot on the payment page appeared to give attackers a way to inject arbitrary JavaScript and steal customers' card details as they entered them into Ticketmaster's website.
Ticketmaster: Reset Some Passwords
Ticketmaster has told multiple media outlets that it appears that only about 40,000 U.K. customers were affected by the breach. It's alerting those customers directly and offering them 12 months of prepaid identity theft monitoring. It's also requiring all users of its Ticketmaster International website to change their passwords when they next log in.
The company's alert to customers, however, suggests that its findings are so far preliminary. "Forensic teams and security experts are working around the clock to understand how the data was compromised," it says.
Ticketmaster says that it's also working with authorities, as well a credit card companies and banks, to investigate the breach.
The U.K.'s Information Commissioner's Office, which enforces the country's data protection laws, says it's aware of the breach.
"Organizations have a legal duty to ensure that people's personal information is held securely," the ICO says in a statement. "We have been made aware of an issue concerning Ticketmaster and will be making enquiries."
The ICO enforces the EU's General Data Protection Regulation, or GDPR. As of May 25, GDPR enforcement is in full effect, meaning that organizations such as Ticketmaster are required to report all breaches that potentially exposed people's personally identifiable information to authorities within 72 hours, as Ticketmaster appears to have done.
The U.K.'s government-run National Cyber Security Center, which hosts the country's computer emergency response team, says it's tracking the incident.
"We are aware of a cyber incident affecting Ticketmaster," a spokeswoman says in a statement. "The NCSC is working with our partners to better understand the incident."
The ICO has said that when it learns of a breach, it will issue specific recommendations to victim organizations, which can include directly notifying affected users as well as working with the NCSC.
Inbenta: Attack Contained
Inbenta says that the attack appears to have been limited to Ticketmaster and to not have affected any of its other customers.
"Inbenta has conducted a detailed analysis of all the file systems used for development and production systems, thoroughly analyzing any difference between the original source code and the version in the production environment," the company says in a security FAQ about the breach.
"We can confirm that just three files were altered that affected three specific websites for Ticketmaster," the company says. "No other file has been affected, and therefore we are completely confident that no other customer of Inbenta has been affected."