By The Integrity360 Team on July 04, 2018

Takeaways from the Ticketmaster and Harvey Norman data breaches

Cyber Risk and Assurance, Breaches, Alerts & Advisories, Compliance & Regulation, Retail & Ecommerce

Risk is an inescapable part of life, but many companies continue to believe it doesn’t apply to them.

It’s the only aspect of business where executives hold the mantra, “them, not us,” and recent events at Ticketmaster and Harvey Norman have proven it to be a dangerous ideology.

Both companies recently revealed they suffered a data breach. But the actual target of the hacking campaign wasn’t Ticketmaster or Harvey Norman, and it’s why their stories are one that businesses can learn from. 

Ticketmaster data breach: All the facts 

On the 23 June 2018, Ticketmaster UK discovered malware residing on a customer support system hosted by third-party vendor Inbenta Technologies. The company subsequently disabled the product and alerted its userbase of the data breach four days later.

Ticketmaster believes the campaign was limited in scope: 

  • Attackers had access to the system from February to June 2018. 
  • The Inbenta platform was used and exploited on the following websites: Ticketmaster International, TicketWeb, Ticketmaster UK and GETMEIN!. 
  • Roughly 5 percent of its global customer base, primarily in Europe, had its credentials exposed. 

The campaign hinged on malicious threat actors gaining access to a library of source code stored on Inbenta servers, ZDNet reported. From there they were able to manipulate a line of JavaScript that was designed in accordance with unique Ticketmaster requirements, and resided on the company’s payments page, Jordi Torras, CEO of Inbenta, said.

The data breach is the first major one of its kind to be reported after the General Data Protection Regulation (GDPR) went into effect at the end of May 2018. But whether GDPR applies is still unclear since Monzo, a digital bank, reportedly informed Ticketmaster of a potential data breach in April 2018 – before companies became liable for GDPR.

Monzo alleged that roughly 50 of its customers disclosed fraudulent transactions to the institution on 6 April 2018. Of that group, nearly 70 percent had one commonality: They were customers of Ticketmaster. The firm reported the new trend to Ticketmaster, and Monzo continued to handle its emergence internally within its financial crime and security team. 

Harvey Norman data breach: All the facts 

On the 27 June 2018, Typeform, a web form provider, alerted Harvey Norman of a data breach on its systems. The scope of the breach led to a small number of the electronics and furniture retailer’s customers having their personal details exposed, but not any sensitive information such as their finances.

Harvey Norman reported the breach to the Data Protection Commission on the 29 June 2018, and its customers shortly thereafter. It has since taken all Typeform services down off of its website.

The Typeform data breach also affected Monzo, Travelodge and the Fortnum & Mason food shop, among others, according to Fora. 

Ticketmaster, Inbenta and GDPR 

Ticketmaster was the first major data breach to take place in the EU since the GDPR went into effect on 25 May 2018. But a whole host of details – not the least of which is when Ticketmaster was informed of the breach – could play a role in what type of action is taken against the company.

Ticketmaster is a data controller, and the majority of the legal requirements of GDPR fall squarely on its shoulders. The business is responsible for hosting the personal information of its customers, no matter how it gets that data.

Inbenta is a data processor, and as such does not have as prominent a legal requirement at Ticketmaster does in safeguarding consumers’ personal information. Its customer support platform simply acted as a middleman in processing data, and Inbenta’s only legal obligation was to comply with Ticketmaster’s pre-determined guidelines, the Irish Data Protection Commission reported.

One of the key facts that will play a role in exactly how serious of an infraction this is would be when Ticketmaster found out about it. Organisations must report a breach within 72 hours, but if Monzo’s story holds true then the situation could become murky because it could have taken place before GDPR went into effect. Non-compliance fines for GDPR can reach either 2 or 4 percent of a company’s global revenue, depending on the severity of non-compliance. 

What does this mean for cyber risk? 

Although it’s unclear exactly which companies are at fault at the moment, finding out won’t change which party the burden lies with. As data controllers, businesses are 100 percent responsible for the systems they have in place to collect and store data.

It’s an aspect that could be overlooked in cyber security strategies. Data processors aren’t nearly as culpable as controllers under GDPR, and malicious threat actors are taking advantage of that. Hackers know that controllers’ digital infrastructure are likely to be robust, but holes can be found in businesses like Inbenta that may not have the legal incentive to invest as much financially into cyber security as Ticketmaster does.

With GDPR now in full swing, expect hackers to take a similar route as those who did with Ticketmaster. Large companies have left a winding trail of digital access with the help of Software-as-a-Service and cloud technology, and threat actors are realising just how easy it is to expose that flaw.

With the overreliance on third-party vendors for key parts of operation in modern business, managing these large ecosystems of providers is difficult given the lack of visibility and assurance. To protect themselves as much as possible from legal action, data controllers should have robust and detailed contracts in place with data processors.

Conducting regular audits is crucial to finding errors or exploits that lead to a breach before they have the chance to develop. A third-party risk management framework should be the foundation of every business’ efforts to maintain GDPR compliance.

Organisations that are giving access to third-party vendors must be aware that the responsibility of GDPR falls squarely on their shoulders – even if a malware campaign starts elsewhere.

Sign up to receive the latest insights

Join our cyber security community to stay up to date with the latest news, insights, threat intel and more right in your inbox.  All you have to do is choose how often.