fbpx

PROFILE

MY SUBSCRIPTION

LOGOUT

x

The latest industry news to your inbox.

    

I'd like to hear about marketing opportunities

    

I accept IQ Magazine's Terms and Conditions and Privacy Policy

64,000 Tomorrowland-goers compromised in data breach

The personal data of tens of thousands of attendees of Tomorrowland 2014 has been compromised in a suspected cyberattack, the festival has confirmed.

Personal information of 64,000 people who bought tickets through Paylogic, including names, email addresses and postcodes, may have been stolen after hackers gained access to an old festival database, although sensitive data such as payment information was not affected, according to Tomorrowland press coordinator Debby Wilmsen

Speaking to Flemish-language daily De Standaard, Wilmsen says the Belgian festival, one of the world’s largest electronic dance music (EDM) events, reported the breach to the Dutch Data Protection Authority before contacting customers.

“The managers of the Paylogic ticketing system noticed some unusual activity on an older system,” she explains. “After careful analysis, it appeared that an old database from Tomorrowland 2014 was responsible. The server in question was immediately taken offline.”

“An old database from Tomorrowland 2014 was responsible. The server in question was immediately taken offline”

“When we were informed about this by Paylogic, we first informed the Data Protection Authority. We then decided to send an email to all affected visitors to inform them.”

The data that was compromised, she adds, “only contains [visitors’] names, email address, gender, age and postal code. The payment details, passwords and addresses of the users are not included.”

News of the Paylogic breach follows similar hacks of other ticketing systems, including Ticketmaster and, more seriously, Eventbrite’s Ticketfly, both this summer.

In a statement, Paylogic (now owned by France’s Vivendi) says it has “taken all necessary actions” to prevent access to other old databases. “We also continue to invest in the security of our system,” it adds. “This incident only affects Tomorrowland 2014 and not our other customers.”

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

Eventbrite sued over Ticketfly data breach

Eventbrite is facing a class-action lawsuit over allegations Ticketfly’s “lax cybersecurity procedures” allowed hackers to gain access to 27 million customers’ personal data in May’s cyberattack.

Personal information including names, addresses, email addresses and phone numbers was stolen in the data breach, which led to a week-long shutdown of all Ticketfly services, as well as a number of Ticketfly.com-based venue websites, and forced several promoter partners to push back onsales or migrate to parent company Eventbrite’s platform.

While Ticketfly moved quickly to reassure clients it “takes privacy and security very seriously”, a lawsuit filed in Cook County, Illinois, on Tuesday claims otherwise, accusing the company of consumer fraud, deceptive practices, breach of contract and negligence for its supposedly poor web security – including allegedly failing to heed hackers’ warnings in the run-up to the attack – and an inadequate response once it was discovered.

Ticketfly allegedly failed to “take reasonable measures” to “mitigate the vulnerability”, despite hackers making contact ahead of the attack

Ticketfly/Eventbrite’s “lax cybersecurity procedures” allowed hackers to gain access to her and others’ personal information, says lead plaintiff Shanice Kloss, with the company allegedly failing to “take reasonable measures” to “mitigate the vulnerability”, despite hackers making contact ahead of the attack.

Additionally, claims Kloss, Ticketfly failed to notify her that her data had been compromised, instead limiting its immediate response to a “passive support page” on the Ticketfly website and a “single tweet on social media”. Consequently, she says, she did not learn about the hack until September, months after her personal data was accessed.

Kloss, represented by Jad Sheikali and William Kingston of Chicago’s McGuire Law, seeks unspecified damages and a court order forcing Ticketfly to improve its cybersecurity.

Eventbrite declined to comment.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

Ticketmaster hack “the tip of the iceberg”

The recent Ticketmaster data breach formed part of a “massive digital credit card-skimming campaign” that affected more than 800 other websites, according to a leading cyber-security company.

The breach, announced in late June, involved malicious software on a customer-support product hosted by a third-party supplier, Inbenta Technologies, that ran on Ticketmaster International, Ticketmaster UK, Get Me In! and TicketWeb websites. Those potentially affected are British customers who bought or attempted to buy tickets between February and 23 June 2018, and international customers who used the service between September 2017 and 23 June 2018.

While the hack was initially thought to be an isolated incident, a new report by security firm RiskIQ, Inside and Beyond Ticketmaster: The Many Breaches of Magecart, reveals the compromised Ibenta plug-in also ran on hundreds of other websites, including “many of the most frequented ecommerce sites in the world”.

According to RiskIQ, the attack was undertaken by a hacking group, Magecart, who placed a “digital skimmer” – an internet version of the physical ‘skimmers’ hidden in credit-card readers in shops and cash machines – on the Ticketmaster sites via Ibenta.

In addition to the Ibenta Technologies software, the RiskIQ report continues, Magecart injected its skimmer into another third-party supplier, SociaPlus, which is running on other Ticketmaster websites, including Ticketmaster Germany and Ticketmaster Australia.

Also affected is a third supplier, known as PushAssist, which provides analytics for websites, says RiskIQ.

“The Magecart problem extends to ecommerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern”

Describing the Ticketmaster incident as “the tip of the iceberg, the report’s authors, Yonathan Klijnsma and Jordan Herman, say: “The Ticketmaster incident received quite a lot of publicity and attention, but the Magecart problem extends to ecommerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern. We’ve identified over 800 victim websites from Magecart’s main campaigns, making it likely bigger than any other credit card breach to date. In the case of a single, highly targeted campaign we dubbed SERVERSIDE, we identified nearly 100 top-tier victims, mainly online shops of some of the largest brands in the world.

“Even more disturbing, the Ticketmaster breach demonstrates that the Magecart actors are continuing to refine their techniques and get better at target selection. Previously, they compromised individual websites and added new Javascript or links to remote Javascript files, but they seem to have [got] smarter – rather than go after websites, they’ve figured out that it’s easier to compromise third-party suppliers of scripts and add their skimmer. In some cases, compromising one of these suppliers gives them nearly 10,000 victims instantly.

“Currently, the publicly reported breaches are wrongly interpreted and sometimes aren’t breaches at all. They’re all part of the operation of Magecart, a single group that many reports fail to identify, which is spreading faster and wider than ever before.”

RiskIQ first identified the existence of Magecart – which has previously compromised the websites of publisher Faber and Faber and fashion brands Guess and Rebecca Minkoff – in October 2016.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

Ticketmaster customer info compromised after data breach

Ticketmaster customers have been warned that they could be at risk of identity theft after the company yesterday confirmed that data had been compromised after an extensive data breach. The breach involved a malicious software on a customer support product hosted by an external third party supplier, Inbenta Technologies.

The product ran on Ticketmaster International, Ticketmaster UK, Get Me In and TicketWeb websites. Those potentially affected are UK customers who bought or attempted to buy tickets between February and 23 June 2018 and international customers who used the service between September 2017 and 23 June. Those thought to be affected have been notified.

Ticketmaster is advising those affected to change their passwords on their next sign in and monitor their account statements for evidence of fraudulent activity. Impacted customers are also being offered a free 12 month identity monitoring service with a leading provider. On a dedicated website set up to addressing the questions of those affected, Ticketmaster says it is working with relevant authorities, credit card companies and banks, as well as forensic teams and security experts.

Ticketmaster serves over 230 million customers worldwide each year, though it believes less than 5% have been affected by the breach.

The Guardian is reporting that a number of Ticketmaster customers have already experienced fraudulent activity on their accounts. According to the newspaper, people have identified unauthorised transfers using the service Xendpay and unauthorised purchasing of Uber gift cards and payments to Netflix.

The news of this data breach is the second event of its kind involving a ticketing company in recent weeks. Earlier this month, leading US ticketing platform Ticketfly was involved in a cyber attack which led to the data from 27 million accounts being compromised. Ticketmaster serves over 230 million customers worldwide each year, though it believes less than 5% have been affected by the breach.

Both events are particularly timely, coming just a month after the adoption of the new European General Data Protection Regulation (GDPR) on 25 May. GDPR requires all companies, even outside of the EU to ensure that data belonging to European citizens be treated with “an appropriate level of security”.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.