Ticketmaster is hit by a £5 million legal action after online payment card theft

Graham Cluley

Ticketmaster is hit by a £5 million legal action after online payment card theft

Ticketmaster is hit by a £5 million legal action after online payment card theft

A British firm of solicitors, which specialises in helping victims of cybercrime claim compensation, has launched a £5 million (US $6.5 million) legal action against Ticketmaster, BBC News reports.

In June last year, Ticketmaster warned that it had discovered that an external third-party script from Inbenta, that was used to provide online chatbot and support on the Ticketmaster website, had been silently stealing information from up to 40,000 customers.

Personal information compromised includes names, addresses, email addresses, telephone numbers, payment details and login details.

Ticketmaster confirmed that Inbenta’s code was running on the Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb websites, but that customers in North America were not affected.

As news of the breasch became headline news, Inbenta criticised Ticketmaster for embedding the script onto its checkout page:

“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

In short, Ticketmaster blamed Inbenta. And Inbenta blamed Ticketmaster.

You can argue until the cows come home who was more at fault, but the ultimate villains of the story are – of course – the Magecart group who planted form-skimming code into Inbenta’s code.

And, according to security researchers, Inbenta was not the only third-party provider used by Ticketmaster that was compromised by the Magecart group.

What’s so dangerous about a Magecart attack is that it doesn’t matter if a company doesn’t store your full payment details such as the CVV code on the back of your credit card. Nor does a Magecart attack have to break into a company’s database or crack sophisticated encryption.

Instead, Magecart’s malicious script can lurk on a company’s website watching the information as it is entered by customers into a payment form, and send it to the waiting hackers.

Fascinatingly, digital bank Monzo said that it had warned Ticketmaster of a possible breach of payment card information three months before the ticketing company confirmed the problem publicly.

One imagines that the team at Widnes-based Hayes Connor Solicitors will try to make the most of that, and other information about the case, when making their damages claim for more than 650 people who say they were impacted by the Ticketmaster security incident.

Hayes Connor Solicitors have created a webpage where they are inviting other victims to register their interest in making a claim for compensation.

Class-action lawsuits over data breaches are nothing new in the United States, and are beginning to become more common in the UK too. In September 2018, the UK branch of a US law firm launched what it claimed to be a £500 million legal action against British Airways after almost half a million card details were stolen via its website.

We discussed that British Airways security breach in an episode of the “Smashing Security” podcast at the time:

Smashing Security #95: 'British Airways hack, Mac apps steal browser history, and one person has 285,000 texts leaked'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES