The General Data Protection Regulation went “live” on May 25th 2018, and we knew it wouldn’t be long until a significant breach was reported in the news. Surprisingly, the offender was Ticketmaster, one of the largest entertainment ticket sales and distribution companies in the world.
At the start of this week, Ticketmaster began contacting customers from the UK and Ireland who used their website between February and June of this year, following the discovery of a data breach that was caused by a customer support product.
Software developer, Inbenta Technologies, was exporting customer names, addresses, e-mail addresses, telephone numbers, login details, and payment details to an unknown third party.
“On the evening of Saturday, June 23rd, we received notice from our customer Ticketmaster that the personal data of its users may have been compromised,” explained Inbenta CEO, Jordi Torras, on the company website.
“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”
“We have resolved the vulnerability as of June 26th. We have also thoroughly checked all custom and general scripts and snippets, and we are completely confident that no other customer of Inbenta has been compromised in any way. We can fully assure our customers and end-users that no other implementation of Inbenta across any of our products or customer deployments has been affected.”
Ticketmaster has offered all notified customers a 12-month subscription to an identity management service and advised them to change their passwords.
Not only does this highlight the importance of good communication between Data Controllers and Data Processors to ensure that personal data is kept safe and secure, but it will be interesting to see how the enforcing bodies handle this scenario.