Chat bot opens door to Ticketmaster payment card hack

Online ticket sales firm Ticketmaster on Wednesday revealed a breach that exposed payment card data of tens of thousands of customers in the UK and Australia. 

At the heart of the breach was a chat bot service that Ticketmaster integrated into its payment page from its third-party supplier, Inbenta. 

The partners are now laying blame for the breach on each other, while a third unrelated company, digital bank startup Monzo, said it warned Ticketmaster about a possible breach in April, some two months before Ticketmaster said it discovered the breach. 

Ticketmaster has posted a page describing a “data security incident by a third party supplier” that says on Saturday June 23 its UK headquarters discovered malware on a customer support product hosted by Inbenta. 

The software was embedded within payment pages on Ticketmaster UK and International websites, meaning it potentially affected customers in the UK, as well as Australia, New Zealand, France, Ireland, Germany, and Spain. US customers were not affected.  

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites,” said Ticketmaster, which estimates less than 5 percent of its global customers was affected. 

The BBC reports that around 40,000 UK residents were affected. The UK's National Crime Agency said it is investigating the incident while the National Cyber Security Centre (NCSC) has posted advice for affected users. 

Compromised details include name, address, email address, telephone number, payment card numbers and Ticketmaster login details. NCSC advised affected users to change online passwords, monitor bank accounts, and watch out for phishing. Many victims may have already seen phishing attempts and fraudulent transfers in the past few months. 

Ticketmaster said that UK customers who used the site between February and June 23, 2018 may be affected, and out of caution it has warned international customers who made purchases in this period. 

Inbenta has posted its own notice that pushes blame back on to Ticketmaster. The company said it customized JavaScript code solely for Ticketmaster, so this code is not present in other customers’ implementations of its technology. 

Inbenta said Ticketmaster, unbeknownst to it, used the custom script on its payments page, which it claims it would have advised against had it known it would have been used in this way. 

“We were unaware of this, and would have advised against doing so had we known, as it presents a point of vulnerability that affects the capacity for web forms to upload files. It appears that the attacker used this vulnerability. We disabled this script as soon as possible, thereby preventing any further breaches at this implementation,” Inbenta said.

The contractor was hosting the script on behalf of Tickmaster, however claims it can’t monitor which web pages its customers are embedding those scripts on. 

Following Tickmaster’s public disclosure, Monzo said it alerted Ticketmaster about a possible breach in April after receiving reports from about 50 customers regarding fraudulent transactions and noticed that 70 percent of reports came from customers who used their cards with Ticketmaster between December 2017 and April 2018. 

“This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster,” wrote Monzo. 

After spotting a few more fraudulent transactions the company contacted Ticketmaster directly, and were told by its security team they would investigate the issue. 

Further fraudulent transactions it traced back to past Ticketmaster purchases  prompted it to replace six thousand Monzo cards that had been used with the ticking company. 

On April 19, Monzo said Ticketmaster informed it that the investigation had turned up no evidence of a breach and that it was the only bank reporting instances of fraud linked to Ticketmaster purchases.