Identity & Access Security Bloggers Network Threats & Breaches 
SBN

The Ticketmaster Breach – A Never Ending Saga

by David Michael Berry on July 10, 2024

A few days ago (July 5th to be precise) I was planning to write more about the Ticketmaster breach’s latest developments. We learned that the attackers raised their ransom demand from $1 Million to $8 Million, mainly due to the actual bar codes of Taylor Swift concert tickets being part of the data breach.

There are also tickets for around 65,000 other events included in the haul, which is all valued at $22.6 Billion. While it sounded like LiveNation may have initially considered the $1 Million price tag, it’s impossible to say what effect this increased ransom will have.

The Plot Thickens

However, Monday (July 8th) I received an email from Ticketmaster, as a customer myself, about this very incident:

Hello,

We are writing to notify you of a data security incident that may have involved your personal information. We take the protection of your personal information very seriously and are sending this correspondence to tell you what happened, what information was involved, what we have done, and what you can do to address this situation.

What Happened
Ticketmaster recently discovered that an unauthorized third party obtained information from a cloud database hosted by a third-party data services provider. Based on our investigation to date, we determined that the unauthorized activity occurred between April 2, 2024, and May 18, 2024. On May 23, 2024, we determined that some of your personal information may have been affected by the incident. We have not seen any additional unauthorized activity in the cloud database since we began our investigation.

What Information Was Involved
The personal information that may have been obtained by the third party may have included your name, basic contact information, and payment card information such as encrypted credit or debit card numbers and expiration dates.

What We Are Doing
We have been diligently investigating this incident with the assistance of outside experts. We have also contacted and are cooperating with U.S. federal law enforcement authorities, and this notice has not been delayed due to law enforcement investigation. We have additionally taken a number of technical and administrative steps to further enhance the security of our systems and customer data. These measures include rotating passwords for all accounts associated with the affected cloud database, reviewing access permissions, and increased alerting mechanisms deployed in the environment.

What You Can Do
We recommend you remain vigilant and take steps to protect against identity theft and fraud, including monitoring your accounts, account statements, and free credit reports for signs of suspicious activity. To further protect your identity and as a precaution, we are also offering you identity monitoring with TransUnion of Canada, Inc. (“TransUnion”), at no cost to you. Identity monitoring will look out for your personal data on the dark web and provide you with alerts for 1 year from the date of enrollment if your personally identifiable information is found online. These services will be provided by TransUnion specializing in fraud assistance and remediation services.

You can sign up for this service by clicking the following link: https://surveys.ticketmaster.com/s/tu-sign-up

Your Ticketmaster account was not affected by this incident, however we recommend being mindful of phishing attempts such as emails from unknown senders or those that contain unusual content, such as links or attachments, or being asked to provide personal information over the phone.

For More Information
We are fully committed to protecting your information, and deeply regret that this incident occurred. If you have questions or concerns regarding this incident, please contact us at +1 833-505-2930 Monday-Friday from 8:00 a.m. to 8:00 p.m. Central Time, excluding holidays.

Sincerely,

Ticketmaster

To be clear, the third party who Ticketmaster mentions here is a service called “Snowflake”. Basically this is a data warehouse used by many companies due to their ability to handle massive amounts of data and provide insights into the data it stores.

Attackers accessed Ticketmaster data, stored in Snowflake, via a compromised (stolen) user account belonging to a contractor. Queue up the usual cliches about a “chain only being as strong as it’s weakest link…”, but that’s essentially how all this goes down.

You can have some great security tools, but all it takes is one compromised, valid account, and things can unravel quickly…

The Concerning Bit

The attackers had over 6 weeks to explore the data and steal at least 1.3 terabytes worth of data, which represents over 500 Million users.

The concerning bit is that in addition to full PII (personally identifiable information) such as address’, phone numbers, and emails, encrypted credit/debit card, and plain text expiration dates were included.

I get it, it’s a lot more convenient to have the cards on file for future purchases…

However, if you are encrypting and storing credit/debut card numbers, and using them again, that means you are also DECRYPTING them.

In order for an application/program to decrypt and process the cards, it would need the encryption key to be available. Hopefully it was not stored in the same Snowflake account, and if it wasn’t, hopefully the attackers did not find a way to pivot to wherever the keys were stored, and exfiltrate that too.

Keep in mind, they had over 6 weeks to try and get as much as possible. At this point, we can only hope they did not get the keys as well.

Identity Theft

While it’s great that Tickmaster will leverage Transunion to monitor for Identity Theft based on all our personal data being leaked, that offer is only good for 12 months. Identity Theft and Fraud rings will often take their time assembling data from multiple different breaches, so it is entirely possible we don’t see the full effects of this breach beyond a year.

Data Pools and Synthetic Identities

This topic probably deserves it’s own post, but I’ll just say this. With over 500 Million additional personal details out there, if released on the dark web, it would provide a really nice augmentation for AI to train on.

To generate convincing Synthetic Identities and Deepfakes, AI needs real people to analyze and map out. Why not just create completely random “fake people”? They won’t pass scrutiny. A truly valuable synthetic identity would be believable enough to befriend your friends and family on Facebook as a distant relation. Powered by AI, they will be able to have full conversations and recall personal events from the past that yourself and others also know of. Once they’ve established themselves as part of your life, engaged you in conversation to learn more about you, they are one step closer to taking over your accounts.

Deepfake attacks against banking services are trending up, and likely to continue for the foreseeable future. Unfortunately, data breaches like this are more fodder for the malicious AIs to chew on.

It’s Time to Stop Playing Whack-a-Mole

I’ve written before about the #DataPrivacyRevolution and the growing need to give back control of personal data to the individual. The Ticketmaster breach is a prime example of an event that could never occur if personal data is not stored with online merchants, but rather encrypted, tokenized and validated.

Demo coming soon…

*** This is a Security Bloggers Network syndicated blog from Berry Networks authored by David Michael Berry. Read the original post at: https://berry-networks.com/2024/07/10/the-ticketmaster-breach-a-never-ending-saga/

David Michael Berry , , , , , , , , , , ,