Who is this guidance for?
Customers of Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb websites, whose personal information may have been compromised.
On Saturday, June 23, 2018, Ticketmaster UK reported malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.
Ticketmaster UK has reported;
- fewer than 5% of their global customer base has been affected by this incident. Those customers who may have been affected have been contacted by the company, and all notified customers will be required to reset their passwords when they next log into their accounts
- customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 may be affected as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018
- information which may have been compromised includes: name, address, email address, telephone number, payment details and Ticketmaster login details. Further details can be found on Ticketmaster UK’s dedicated webpage
The National Crime Agency (NCA) is now leading the UK law enforcement response to the data breach, with specialist officers from the National Cyber Crime Unit (NCCU) working with the company to secure evidence. Due to the complexity of these enquiries, the investigation will take some time.
What should I do?
Read through the NCSC advice below and take any appropriate steps.
Anyone concerned about fraud or lost data should contact Action Fraud. Action Fraud’s online fraud reporting tool any time of the day or night, or call 0300 123 2040. For further information visit www.actionfraud.police.uk.
We also recommend that people are vigilant against any suspicious activity on their bank accounts and credit cards and contact their financial provider if they have concerns.
NCSC advice to customers
Attackers who have the stolen personal data may use it to approach customers, and trick them into revealing further personal information that attackers can use to harm you. Payment details may be used to carry out fraud or identity theft.
Be wary of phishing
Be particularly wary of unsolicited emails, phone calls or SMS messages asking you to disclose further personal details eg login information – especially if they claim to come from your bank/credit card provider. Such scams can be very convincing, and attackers may use your personal data to make them look even more realistic.
Genuine financial institutions will not ask you to reply to an email with personal information, or details about your account. If you contact them, use a phone number/email address you have looked up yourself, rather than one sent to you in the email – it may be false. For further information, look at NCSC guidance on the phishing threat following data breaches.
If you spot a suspicious email, report it to your chosen email provider. Report suspicious phone calls or SMS messages to Action Fraud.
Monitor your financial accounts
Monitor your financial accounts online or through statements for strange activity, such as transactions you do not recognise. If you do find something suspicious, report it immediately to your provider or Action Fraud.
You can check your credit rating quickly and easily online. You should do this every few months anyway, using a reputable service provider and following up on any unexpected or suspicious results.
Update your password
We recommend you change your password for any Ticketmaster UK accounts. You should also ensure that password is not used to log-in to any other accounts. You may want to consider using a password manager.
Take a look at our blog post for more information.
Advice for website administrators
In certain cases, some technical measures can also help prevent inclusion of compromised third-party resources:
- SRI (Sub-Resource Integrity) allows the browser to check a cryptographic hash of the script to ensure that your users are running the unaltered version. However, SRI will only work if the script is relatively static. If it changes regularly, the signature will no longer be valid and the script will not be loaded by users. Also, browser support for SRI is not universal
- CSP (Content Security Policy) allows you to whitelist locations where scripts can be loaded from. Several independent researchers have written that having a well-defined CSP in place would have blocked this attack
We recommend putting the above mitigating measures in place where practical, and while we recognise these will not necessarily protect end users in all cases they will reduce the chances of your website being compromised.
- Implement robust change control for your code, including monitoring your codebase for unauthorised modifications, reviewing code contributions, and having a rapid takedown process in place for if a compromise is detected
- Where you offer hosted versions of your library, ensure that you have robust access control and logging in place for making changes to the library
- Consider supporting customers who wish to use Subresource Integrity (SRI). For example, providing numbered versions of libraries which remain static, and so have a static cryptographic hashes will enable customers to validate their integrity