back to article Ticketmaster gatecrash: Gig revelers' personal, payment info glimpsed by support site malware

Ticketmaster UK has warned punters that malware infected one of its customer support systems – and may have siphoned off their personal information and payment details. Anyone in Britain who bought, or tried to buy, a ticket from the biz between February and June 23 this year, and international customers who purchased, or …

  1. AGS221

    Got one of these and they don't tell you who the identity monitoring service is. Click on their link and it takes you to website a.pgtb.me to fill in details - never did a URL look more like a phishing attempt...

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Agreed - I flagged it as Phishing. The emails were sent out before there was any news coverage, or anything on the TicketMaster website.The a.pgbt.me website link when clicked from the email used http: not https: for the form to enter user data. It all seemed very strange. It was at that point I started thinking I was falling for a Phishing scam...

  2. Mr Dogshit

    Coincidence?

    Yesterday someone tried to buy £500 worth of stuff using the credit card I bought a couple of tickets through Ticketmaster with. Credit card company was on the ball and blocked it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Coincidence?

      Happened to me last week.

      Had Ticketmaster been storing card, expiry and CVV data in encrypted form..???

      If so, I hope ICO take them to the cleaners...

    2. Anonymous Coward
      Anonymous Coward

      Re: Coincidence?

      Me too. Luckily the CC company blocked it after 2 payments had gone through and refunded what had in 24 hours.

      1. yoganmahew

        Re: Coincidence?

        Me too! This is from Ireland buying ticketmaster UK tickets.

        And quite a panic'd affair it was too since the tickets require the original purchase card to accompany them.

        Some questions too other than the above about what were Ticketmaster storing - what were they sending to the chatbot company? Everything? There's nothing that you agree to to have your details sent to a third party.

        GDPR's first test case?

    3. Handel was a crank

      Re: Coincidence?

      Somebody attempted to buy stuff on my credit card from Argos and train tickets from Thameslink three weeks ago, so that's explained now.

      And thanks for storing my unencrypted information.

      Luckily the bank spotted it.

  3. Anonymous Coward
    Anonymous Coward

    I had my card used fraudulently a few weeks ago although I am really on the ball with security. I got this email today, so it is probably the culprit. Luckily I use unique email addresses and password for all my online accounts so I should be safe. I am at least glad I have a good idea where my card details were obtained.

  4. djack

    Barclaycard were a little bit proactive.

    Dunno if it was related to this but Barcklaycard suddenly decided to revoke and replace my card over the weekend. This was a couple of days before the 23rd but other news sites indicate that people were aware of the attack before that date.

    1. staggeringlywood

      Re: Barclaycard were a little bit proactive.

      Same here. I asked them why they were doing it but said they deal with industry partners etc. etc. - I thought it was to do with the Carphone data breach recently but evidently not. I have (had) both my debit and credit card stored on TM's servers but paid for tickets with my Barclaycard, one would hope that my debit card doesn't need replacing too as haven't bought with it for some time...

      I was quite surprised about Barclaycard issuing a brand new card and card number but that would hint at the severity / massive balls up that TM have made, as it can't be that cheap to issue brand new cards for thousands of people.

  5. Doctor Syntax Silver badge

    Let's see how the ICO deals with this under GDPR - although there may be a complication that the hack was in progress before. But it gives us chance to see what sort of levels of fines they're going to impose.

    And given that the hack was on a US 3rd party supplier it's good to see the Privacy Shield is really doing its stuff.

    1. kain preacher

      Doctor Syntax I know lots of people hate Privacy Shield but to me that's not the real issue as this could of easily happened if the the 3rd party was British based . What should be ragged on is why does a chat bot have access to the billing server and why were they storing the cv2 numbers.

  6. Anonymous Coward
    Anonymous Coward

    PCI-DSS ?

    No mention ???

  7. Anonymous Coward
    Anonymous Coward

    The always reliable 'Get-Out-Of-Jail-Free-Card'

    Blame the 3rd-Party! Good thing GDPR has 'teeth' to punish this (iirc)...

    1. Anonymous Coward
      Anonymous Coward

      Re: The always reliable 'Get-Out-Of-Jail-Free-Card'

      I really don't buy how it's not their fault...

      I trust ICO take a very close look at how things were stored and how they were accessed, if they were shared to anyone that passes an initial partner approval.

      Also not mentioned, is this also affects Ticketmaster Ireland

      I got two emails, from from UK, one from RoI.

  8. Anonymous Coward
    Anonymous Coward

    'Punters are being offered 12 months of identity-theft monitoring by Ticketmaster'

    ...Just in case the leak didn't work and you need Equifux to really fux you...

  9. Anonymous Coward
    Anonymous Coward

    And don't forget all the (true) allegations...

    Of Ticketmaster pushing GETMEIN (which they own) by using Google ad services to sell second hand tickets at above list price when you could still buy face value tickets from Ticketmaster.

    They are a bunch of scumbags.

  10. John McGhie
    Flame

    Australia too, apparently

    My co-worker just got a call, apparently from Ticketmaster, notifying him that "a large number" of account details have been compromised.

    We're in Sydney, Australia

  11. Anonymous Coward
    Anonymous Coward

    Why do customer support (and thus the malware) have access to the customers full card details? This is not needed to take a payment if the details are stored properly in the system. They should see the last 4 digits and expiry date, the same as the end user when confirming a payment.

  12. Seajay
    Boffin

    The third party don't need the credit card details. However, the "chatbot" javascript from the third party will have been included in the ticketmaster webages. If that javascript coming from the third party is then hacked, it can basically do anything it wants on the ticketmaster page - including keylogging everything that happens and sending a copy to wherever the bad actors want it to go.

    Ticketmaster's own processes for credit card details etc may be secure, but the third party code obviously wasn't

    1. Anonymous C0ward

      "Ticketmaster's own processes for credit card details etc may be secure"

      Not secure enough. They shouldn't show the full details even to me or their staff.

  13. kain preacher

    "Folks in North America are unaffected, we're told"

    Sure just like only a small percentage of people in the UK was affected by the experian leak.

  14. Noonoot

    Someone's going to get fired

    As per title

    1. Anonymous Coward
      Anonymous Coward

      Re: Someone's going to get fired

      But you can be sure they’ll be right at the bottom of the food chain.

  15. steviebuk Silver badge

    Back in the 90s...

    ...while doing my HDC in Computing my old friend (who I haven't seen in years) Drew, created, for one of our big end of year assignments, a concert ticket program. He called it Ticketmaster*. I wonder if they are using his software still from back then :)

    It was coded in Visual Basic.

    *He used their name as he loved going to concerts and it was where he purchased his tickets from back in the day. Having never been to any, I'd thought he'd made the name up himself.

  16. $till$kint
    Pint

    Barclaycard also on the ball here

    About 3 weeks ago I was notified of two suspicious transactions by BarclayCard; one for close on £1000 for events through another ticket sales company and one for car insurance (yes, really!)

    The last transaction prior to these? Ticketmaster on 23rd February.

    Smoking gun anyone?

    It rather looks like the bad actors gathered data for at least 3 months before they swung into action and started selling the details. On the plus side, both the merchants in this case were keen to take action to cancel the purchases (invalidating tickets and insurance) and were proactive in referring the matter to their internal fraud teams and local police. Barclays had already put chargeback in place, but was nice to see the merchants taking an active stance.

    Not often I say this, but beers for Barclays.

  17. werdsmith Silver badge

    There's usually a checkbox, TM have it - "Store my card information - for faster checkout next time"

    What idiot checks that box? Absolutely nobody should ever check that box, storing payment information should be outlawed.

    I got the notification email but I know I didn't check that box to store the card details, I never do. If this leads to any fraud then TM must have retained the information anyway. I use pre-load card which I add enough to cover purchases on the web and keep empty otherwise so damage limited.

    1. yoganmahew

      Even if you never checked it (we don't), you got hacked.

  18. Anonymous Coward
    Anonymous Coward

    I bought tickets to a gig back in March and a few weeks later had fraud showing on my card. Received the email this morning.

    (Possibly) fortunately - Santander decided that the fraudulent transactions were my fault, and despite them finally acknowledging the fraud wasn't my fault, I changed banks so the card used is long gone.

  19. Tom Melly

    Clear as mud

    Hmm... my CC was used fraudulently a few weeks ago. My bank, FD, stopped it and issued a new card, but have been very reluctant to clarify what they know about the fraud, where it originated from, and how they spotted it, although a rep on the phone did drop a clue that I wasn't alone.

    Still in the dark, and puzzled as to why the bank is being cagey.

    1. $till$kint

      Re: Clear as mud

      Not great practice to share what you know and how you know it when it comes to fraud detection. Word tends to get back to the fraudsters and they modify their MO to further obfuscate detection.

      1. Tom Melly

        Re: Clear as mud

        I'm not asking for a forensic breakdown - just "X co. got hacked, we got passed a list of potentially affected cards, and monitored those accounts for unusual activity."

        The bottom line is that I've no idea which company dropped the ball, and I would like the option of no longer using that service.

        1. $till$kint

          Re: Clear as mud

          @Tom. Fair one. Have an upvote

    2. This post has been deleted by its author

    3. Siberian Hamster

      Re: Clear as mud

      There is only one reason any company is ever cagey about something and that's when they think they've screwed up, if they had even the faintest idea it was customers they would have blamed them first.

  20. Andrew Moore

    Apparently...

    Ticketbastard were notified of this back in April...

  21. Lee D Silver badge

    Seriously.

    Stop giving your call centre and back-office agents general purpose operating systems and/or permissions enough that they can get infected by any random passing malware. They don't need it.

    Also, don't give them free reign of the database access. Rate-limit, dial down permissions and make them REQUEST info. Then if one person requests info on a million users, you know there's something wrong.

    2018, and we still can't get the very basics of "need to know" and "minimal permission necessary" right.

  22. Anonymous Coward
    Anonymous Coward

    We contacted those who are affected....

    With the information stored in the compromised accounts.... That's handy for the now owner of the accounts at least they know that TM are on to them.

  23. tiggity Silver badge

    JavaScript junk

    When will people learn that JS (especially third party) is a big security risk.

    I really pine for the days of old skool websites with no JS.

  24. Doogie Howser MD

    Convenience Fee

    Now is my big chance to get my own back. For every attempted fraud attempt, I'm going to charge Ticketshyster £1000 "convenience fee", see how they fucking like it.

  25. MooseMonkey

    Monzo

    Pop over to the Monzo website they have a full description of the number of times they told ticketmaster about a breech, and the number of times ticketmaster denied it. It's been three months and now they cough... Should be fined out of existence.

    1. Anonymous Coward
      Anonymous Coward

      Re: Monzo

      Mastercard arent going to come out of this with glory either judging by the timeline.

      1. Anonymous Coward
        Megaphone

        Re: Monzo

        So can I sue Ticketmaster for improper security and general incompetence when dealing with my data?

        Any no win no fee lawyers wanna take this on?

  26. Sequin

    I got the email a few days ago and today my bank phoned me to say that someone had tried to use my debit card details on a US site and they had flagged it as dodgy. I now have to wait until after the weekend for a new card, and will have to try to get some cash out of one of the few remaining physical branches tomorrow.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon