10/06/2024
An undisclosed number of Australians have had their private information compromised in a cyber incident at leading ticketing company Ticketek, occurring just days after fellow site Ticketmaster suffered a similar fate.
While Ticketek assured that passwords are securely encrypted and customer accounts have not been directly compromised, the company admitted on that their investigation indicates customer names, dates of birth, and email addresses may have been impacted. Ticketek emphasised that it does not hold identity documents for its customers and that its online payments are processed by a separate system which has not been affected.
"On a precautionary basis, we recommend that our customers remain vigilant for potential phishing emails and other scam communications, including from organisations purporting to be from Ticketek,” the company stated. “We thank our customers for their understanding and support as we work through this.”
Ticketek has not publicly disclosed the number of account holders affected, but the company reports selling over 23 million tickets annually and attracting over 1.9 million unique users to its website each month.
Government Response and Customer Vigilance
Cyber Security Minister Clare O’Neil commented that the breach potentially affects many Australians. “Where companies hold a significant amount of data, Australians expect that they look after it,” O’Neil wrote on LinkedIn. She stressed the importance of companies quickly alerting affected customers and offering support, advising Australians to be especially vigilant against scams during this period.
Third-Party Involvement and Broader Implications
In a statement, Ticketek revealed that the impacted data is stored on the cloud-based platform of a “reputable, global third-party supplier,” though the specific supplier was not named. Last week, Ticketmaster confirmed it was also the victim of a security incident after the hacking group ShinyHunters claimed to have stolen 1.3 terabytes of data from 560 million global customers, including names, addresses, credit card details, and phone numbers.
While Ticketmaster was slow to issue a public statement, its parent company, Live Nation Entertainment, revealed unauthorised activity within a third-party cloud database environment. Cybersecurity firm Hudson Rock released, then retracted, a report suggesting that the breaches at Ticketmaster and US bank Santander Bank were related to a hack at cloud storage firm Snowflake. Snowflake denied responsibility, stating it had not identified evidence of a vulnerability or breach in its platform. Instead, Snowflake pointed to a campaign targeting users with single-factor authentication.
The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre announced awareness of successful compromises of several companies using Snowflake environments, tracking increased cyber threat activity related to Snowflake customers.
Expert Analysis
Adrian Kitto, co-founder and CTO of security platform Detexian, suggested that the Ticketmaster breach was likely due to a lack of multi-factor authentication. “The fact [the Hudson Rock report] was retracted so quickly suggests that they were shown evidence to the contrary. The working theory, at least in the Ticketmaster hack, is that a Ticketmaster developer’s credential was compromised and it was not configured to use multi-factor authentication.”
Kitto underscored the importance of third-party cloud security, referring to a 2023 breach at corporate authentication company Okta, which impacted clients such as 1Password, BeyondTrust, and Cloudflare. “Both APRA and ASD have been pushing Australian companies to uplift their third-party or supplier risk management practices for a number of years,” said Kitto. “This breach and a number of others are repeatedly showing that your security is only as strong as your weakest link and the weakest link is often outside of your direct control.”
Conclusion
Following the incident, Ticketek has urged customers to remain “vigilant” against phishing emails and scams and to enable multi-factor authentication for online accounts where possible. This breach highlights the critical need for robust cybersecurity measures and proactive communication to protect sensitive customer information and maintain public trust.