Concert ticket vendor Ticketmaster has admitted that a malware attack on a third-party vendor has left 40,000 UK customers at risk of identity theft or fraud.
The malicious software, which Ticketmaster spotted on a customer support product hosted by Inbenta Technologies on Saturday, was exporting UK customers' data to an unknown third-party, the firm said in a statement.
"As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites," a spokesperson said.
Inbenta's product was running on Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb websites.
Ticketmaster said that less than 5% of its global customer base had been affected, with no North American users impacted. However, IT Pro understands the number could be as high as 40,000 UK users.
UK users who purchased, or attempted to purchase, tickets between February and 23 June may be affected as well as international customers who purchased or attempted to purchase, tickets between September 2017 and 23 June 2018.
Compromised information includes name, address, email address, telephone number, payment details and Ticketmaster login details.
Ticketmaster added that forensic teams and security experts are "working around the clock" to understand how the data was compromised.
The vendor has urged users to log in as normal and immediately change their passwords. It is also offering affected customers a free 12-month identity monitoring service.
It added: "We recommend that you monitor your account statements for evidence of fraud or identity theft. If you are concerned or notice any suspicious activity on your account, you should contact your bank and any credit card companies."
"This code is not part of any of Inbenta's products or present in any of our other implementations," said an Inbenta spokesperson.
"Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018."
Inbenta said it resolved the vulnerability on 26 June. "We have also thoroughly checked all custom and general scripts and snippets, and we are completely confident that no other customer of Inbenta has been compromised in any way," the spokesperson added.
A spokesperson for the National Cyber Security Centre (NCSC) said: "We are aware of a cyber incident affecting Ticketmaster. The NCSC is working with our partners to better understand the incident."
This is the first major breach to have taken place under the Data Protection Act 2018 and the EU's General Data Protection regulation (GDPR). Both stipulate higher potential fines for data protection failures, up to around 17 million or 4% of an organisation's annual turnover.
A spokesperson for the UK data protection authority, the Information Commissioner's Office, said: "We have been made aware of an issue concerning Ticketmaster and will be making enquiries. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts."
Both Ticketmaster and Inbenta has been approached by IT Pro for further comment.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.