Malicious software on third-party hosted product, blamed for Ticketmaster data breach

The data breach that could have affected up to five percent of Ticketmaster customers, occurred on a product hosted by a third party, said Ticketmaster.

Under the GDPR, companies have a limited time frame to report a breach. This is well known. But less well known, and perhaps more tricky, they are responsible for the data they collected when it is processed by third parties.

“All your entertainment needs under one virtual roof with tickets for theatre, concerts, sport, family events, clubs and more,” is how Ticketmaster describes itself.  But now it has had to contact customers informing them that payment details may have been compromised.

Article 33 of GDPR states: “In the case of a personal breach, the controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authorities…”

So how did Ticketmaster do?

The company said: “We have contacted customers who may have been affected by the security incident. UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018, may be affected as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018.”  It added: “Forensic teams and security experts are working around the clock to understand how the data was compromised.”

As a precautionary measure, Ticketmaster has “notified affected customers that they will need to reset their passwords when they next log into their accounts. “

So it seems to have reacted promptly.

But the breach also illustrates the importance of auditing third parties that could have access to data.

The company said: “Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.” And “as soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites.”

Oz Alashe, CEO of CybSafe, said this incident shows that “the chink in a company’s cybersecurity defences is often found in its vast network of suppliers, partners, and third-party products.”

Oz added: “While most large businesses already have a cybersecurity strategy in place, their smaller suppliers often don’t. The cyber defences of any one organisation are only as strong as the defences of all the businesses and products it entrusts with its data.

“CybSafe’s own study into SME suppliers last year revealed that one in seven simply didn’t have any cybersecurity protocols in place and one supplier in five were not worried about data loss at all.

One thing’s for certain, though: now that GDPR has come into force, the stakes are raised, and fines for this kind of occurrence are on the cards.”


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.