Bank says Ticketmaster knew of breach months before taking action

Ticketmaster UK announced on its site yesterday that it identified malicious malware on June 23rd that had affected nearly five percent of their customers, allowing an unknown third-party access to customers’ names, email addresses, telephone numbers, payment details and login information between February 2017 and June 23rd, 2018.

The company says the breach can be traced back to an AI chat bot it uses to help answer customers’ questions when a live staff member is unavailable. The software’s designer, Inbenta, confirmed that the malware had taken advantage of one piece of JavaScript that was written specially for Ticketmaster’s use of the chat bot.

However, both companies have confirmed that as of June 26th the vulnerability has been resolved. In its statement, Ticketmaster told customers that affected accounts had been contacted and were offered a free 12-month identity monitoring service as a consolation as soon as the company became aware of the breach.

But, according to U.K. digital bank Monzo, Ticketmaster was informed of the breach in April.

In a statement released by its Financial Crime team today, Monzo describes the events from its perspective. On April 6th, the bank began to notice a pattern of fraudulent transactions on cards that had been previously used at Ticketmaster. Out of 50 fraud reports the bank received that day, 70 percent of cards had made transactions on Ticketmaster in the last several months.

“This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster,” said Natasha Vernier, head of Financial Crime at Monzo, in the statement.

On April 12th, Monzo says it expressed its concerns directly to Ticketmaster and that the company said it would “investigate internally.” In the week to follow, Monzo received several more Ticketmaster-related fraud alerts and made the decision to replace roughly 6,000 compromised cards over the course of April 19th and 20th, without mentioning Ticketmaster.

During that same period, Ticketmaster told Monzo that its completed internal investigation had shown no evidence of a breach.

This puts Ticketmaster in an awkward position, because under the 2018 General Data Protection Regulations (GDPR), companies are required to report information of a breach within 72 hours. Not 76 days. It’s uncertain, based on the timeline of events, if Ticketmaster will be held to these standards or the now-overturned 1998 standards, but either way the water is starting to heat up around the ticket dealer.

We’ve reached out to Ticketmaster for comment but the company did not reply by the time of publication.

 

Update 10:20 am/June 29th A Ticketmaster spokesperson provided the following comment:

When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf. In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.