back to article Startup bank Monzo: We warned Ticketmaster months ago of site fraud

Online bank Monzo said it warned Ticketmaster that something weird was going on in early April, two months before the ticket-slinging giant revealed its payment pages had been hacked. Monzo detected an abnormal number of customers who had both bought tickets from Ticketmaster since December and had fraudulent activity on their …

  1. Wellyboot Silver badge
    WTF?

    Complete FUBAR

    >>"The source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements," said Torras. "This code is not part of any of Inbenta’s products or present in any of our other implementations. Ticketmaster directly applied the script to its payments page, without notifying our team."<<

    Are Ibenta really saying they changed the JS but didn't know that their customer was using it for nearly 9 months?

    Compounded by Ticketmasters 2 months of 'We're ok' after being told by a bank that something iffy was happening.

  2. a_yank_lurker

    If Stupidity Were a Crime

    The only reason TicketMaster ignored Mono was they were a startup who had to be incompetent. It sounds like Monzo is setting up them up for a nasty lawsuit for damages.

    1. yoganmahew

      Re: If Stupidity Were a Crime

      I'm not sure Ticketmaster are a startup...

      Mrs. YM was hacked following a Ticketmaster transaction, like many others reporting in the original thread. I'm sure those banks are capable of seeing Ticketmaster as the common factor and reported to them. I suspect there's a cosiness of relationship involved in bad publicity, but that other banks will come forward.

      I also suspect that the reason for Ticketmasters complacency is that they had another leak, one they quietly fixed (perhaps back-office personnel based?) and finding one bomb left to comlacent as to the presence of another.

      ... you're right, though, Ticketmaster are clearly incompetent.

  3. SVV

    Ticketmaster / Live Nation

    Nice bunch of folks (2 names for same company), live music fans are not big fans of them, their 3 months delay and apparent lack of concern in reacting to the fraud can be put into quite an interesting context when reading this other story from one of my fave music sites :

    "Atlanta's Gwinett Centre is one such example, with the venue claiming that they were dropped from Live Nation-controlled tours in 2013 after switching from using Ticketmaster to an AEG-controlled ticketing company.

    Emails between Dan Markham, who is Gwinett's bookings director, and a Live Nation representative, show that the former approached Live Nation to discuss the reasoning behind the venue's loss of shows. The response from Live Nation read: "Three letters. Can you guess what they are?"

    http://thequietus.com/articles/24315-live-nation-monopoly-investigation

    1. phuzz Silver badge

      Re: Ticketmaster / Live Nation

      I can't remember the last time I bought something via Ticketmaster, but I assume they're still charging you loads for a ticket, and then adding mandatory booking fees and then postage fess on top of the price?

      Funny how my local ticket shop gets away with just charging a few quid for postage, with no booking fee at all.

      Support your local venues, support your local ticket shops.

      1. Martin
        WTF?

        Ticketmaster / GetMeIn

        I wouldn't buy from Ticketmaster if I could avoid it.

        I was horrified to find that they own GetMeIn - which means that Ticketmaster have no incentive whatsoever to worry about getting tickets to valid fans - they'd rather they went to people who will resell on GetMeIn - double profit!!

        On the other hand, I have just opened an account with Monzo.

  4. streaky

    Monzo..

    Second time I've seen something related to Monzo in a few days.. Has somebody finally decided to actually... compete.. with the main banks?

    Tell me you support U2F and consider me a customer.

    1. deive

      Re: Monzo..

      Just do it. They are soooooooo much better than any other bank :-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Monzo..

        oooooooooooooooo need to be UK resident

        waiting for them to go international, they intend to says their webpage.

        better sooner then later, I'm fed up with my bank but it's the cheapest for me, others are just as shitty but a few cents more expensive. Triodos is really TOO expensive , else I would've checked in at them.

  5. Mark 85

    Ticketmaster responded to the intrusion by contacting those who may have had their info swiped by miscreants, and offering a free 12-month identity monitoring service.

    Identity monitoring is closing barn door after the horse was stolen. It's about time that some serious lawsuits get filed against companies who are breached and offer this panacea. It's obvious that customer data isn't important to them and only the bottom line matters. They should take a serious hit to that precious bottom line for lack of attention to details. FWIW, running code off someone else's computer is just plain negligent and stupid to say the least.

    1. John Brown (no body) Silver badge

      Yes, the "free identity monitoring" should be the compulsory bit anyway. It is in no way compensation. If the breach hadn't happened, the poor suckers would never have needed identity monitoring anyway.

  6. Lomax
    Thumb Down

    Couldn't have happened to a nicer company

    Had an atrociusly bad experience trying to gift a ticket to a mate via the TM website a few weeks ago - ended up having to demand a refund, which they sat on for a week, and getting the tix straight from the venue's own site. My blood pressure has since returned to safe levels, but the day I spent trying to get the ticket booked is lost forever. The TM site sucks rotten eggs and customer support is typical for a company of this type (somewhere between Kafka and Dostoyevsky). What is it with modern day capitalism and the proliferation of useless monopolies - I distinctly remember being told that privatisation, and globalisation, would eliminate these?

    Also, I take it this means I have to now go through the tortuous rigmarole of getting my Visa card replaced?

    1. Wellyboot Silver badge

      Re: Couldn't have happened to a nicer company

      It's worth a chat with a rep if for no other reason than the recording for 'training' purposes. I'd like to think your card issuer is doing it's job properly (prevention of ongoing fraud) and has already flagged cards with TM transactions.

  7. sanmigueelbeer
    Happy

    and offering a free 12-month identity monitoring service.

    Identity monitoring service will be with Equifax. :P

    1. SimonAldrich

      I know that you're joking but what's more of a joke is the service they're providing. It's Experian DataPatrol (Garlik).

      It's not credit monitoring, instead you have to give it all your details (email, phone, driving license #, passport #, credit cards etc) and it supposedly alerts you if those show up somewhere on the web. Basically it's just Googling your details and, as an attractive side-note for hackers, is also now a repository of all your essential details.

      I decided it was about as much use as a chocolate teapot and declined to give it any of my financial or identity details to "monitor"

  8. Velv

    Up to 40,000 customers could have had details stolen.

    I find this number suspicious. Given the number of events Ticketmaster cover, the size of said events in terms of raw tickets, and the length of time, I’d expect the number to be substantially higher. And I’m assuming these customers don’t include the many football and rugby clubs that use tickmaster as their ticket engine, many of them can have 40,000+ tickets at one event (ok, so many customers will be buying more than one ticket, but unlikely to be in the 10s)

  9. localzuk Silver badge

    No other bank had reported anything

    I wonder why? Is it because most other banks aren't bothered about their customer's money? Monzo is growing, so their customers and their money is the most important thing to them - if they don't behave like this, the effect of bad publicity could kill them quickly.

    Whereas bad publicity for the big names? Just more to add to the pile.

  10. Cuddles

    That's not how it works

    "there was no evidence that the issue originated with Ticketmaster."

    It's your customers entering data into your system on your website in order to use your services, interacting with third parties contracted and approved by you. The exact details of the specific company name on the payslip of the person who wrote the specific bit of code at the root of the problem are not relevant. Blaming a third party doesn't get you off the hook, it just makes things look even worse since it demonstrates that not only did you let your site get compromised, but you were also clearly incapable of understanding how your own site works or auditing it properly when alerted to a problem.

  11. Anonymous Coward
    Anonymous Coward

    Fine!

    No, seriously - fine them.

    1. Fatman

      Re: Fine!

      Better suggestion - put them out of business.

  12. Anonymous Coward
    Anonymous Coward

    Can I sue?

    If it's shown they were incompetent with how they stored my data and card details?

    Anyone want to take this case on no win no fee?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like