Three Lessons from The Ticketmaster Breach

Published on 17th December 2020 Author: Rob Black

Photo credit: José Goulão

Let’s travel back to a simpler time: 2018.

Those were the days when you could say to your wife, Rachel, “Wouldn’t it be awesome to go see Alicia Keys this summer?” She would say, “Yes,” and sure enough, several months later, the two of you would happily attend the concert.

Alas, those kinds of things did not happen in 2020. Instead, the concert was postponed indefinitely, and as I write this, we are still awaiting our refund.

Of course, 2018 was not without its own disappointments – particularly for customers of Ticketmaster. Back then, the company had installed a chatbot on its order page; one whose purpose was to provide help as needed and take payment information for ticket purchases.

Unfortunately, this same chatbot also allowed Ticketmaster customer credit card data to be sent from the website to an international group of bad guys known as the Magecart gang.

Was the Ticketmaster web site breached? No.

Did Ticketmaster act irresponsibly by placing another vendor’s unsecure applet on its site? You betcha.

You Are Responsible For Your Customers’ Sensitive Information

Anytime you collect customer information – even if the actual collection is being done by a third-party vendor that you have involved in the process – it is your responsibility to ensure that that data is secure.

With that in mind, here are three lessons from Ticketmaster’s massive stumble…

Ticketmaster Breach Lesson #1: Validate your vendors’ security.

We have written in the past at length about managing your vendors. This is one area in which it is difficult to spend too much time, especially concerning vendors that are critical in the delivery of your service or in which key information is involved, such as financial processes or anything that could undermine your organization’s credibility.

You’ll want to be particularly careful with payment processes. Where these are concerned, you should have a special review involving the entire team responsible, especially if third party JavaScript libraries are used.

Also, pay special attention when any changes are made to a web page in which payments are handled. Ticketmaster’s own site may have been secure; but when they introduced the chatbot they should have evaluated the potential impact of that change.

Ticketmaster Breach Lesson #2: If you process credit cards, follow PCI.

Oh, did I forget to mention? Ticketmaster was fined $1.7 million (actually 1.25 million pounds) under the General Data Protection Regulation (GDPR) because it compromised EU citizens’ data and did not take appropriate steps to safeguard it. Even though GDPR is a European regulation, if you are processing data for EU citizens, you are bound by it!

GDPR held Ticketmaster to the Payment Card Industry (PCI) Data Security Standard (DSS) for credit cards. These are rigorous standards, the violation of which can have significant (i.e., expensive!) consequences, involving higher processing rates, fines, or both.

If you are processing credit cards, please check and double-check that you are following proper procedures from both a technical standpoint and in terms of staff training. Even if you are taking card payments over the phone and writing them down on paper, if your employees are handling sensitive information, they need training.

Ticketmaster Breach Lesson #3: Fine-tune your incident response.

Well, at least Ticketmaster responded appropriately once it was notified, right? WRONG! It took the company nine weeks (not a typo) to locate the problem source.

And that was many weeks after one of the company’s banks pointing to the exact web page where the problem existed, and a Twitter user called out the precise line of code that was at fault. This is the cybersecurity equivalent of looking for your car keys while holding them in your hand.

For a company the size of Ticketmaster, one would expect it to have a formal, inhouse incident response team as well as a contract with a third party to provide tech assistance as needed. Even if it had not believed the first few reports, taking more than two months to recognize, locate and fix the problem was a major blunder.

ANY company that handles sensitive data needs an incident response process worked out beforehand, whether that’s handled in-house or contracted through a reliable third party.

Final Thoughts

Credit card processing is a fast, efficient, convenient way to accept payment from your customers. But it comes with a responsibility – you need to have your act together.

Understand the regulations, think through the process you’ve established, train your people properly, and be prepared to reevaluate everything whenever changes are made.

Wish me luck. I’m off to battle with Ticketmaster for my refund.

Want to get great cybersecurity content delivered to your inbox? Sign up for our monthly newsletter, Tales from the Click! https://fractionalciso.com/newsletter/

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).