Who is this guidance for?
Customers of Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb websites, whose personal information may have been compromised.
Overview
On Saturday, June 23, 2018, Ticketmaster UK reported malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.
Ticketmaster UK has reported;
- fewer than 5% of their global customer base has been affected by this incident. Those customers who may have been affected have been contacted by the company, and all notified customers will be required to reset their passwords when they next log into their accounts
- customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 may be affected as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018
- information which may have been compromised includes: name, address, email address, telephone number, payment details and Ticketmaster login details. Further details can be found on Ticketmaster UK’s dedicated webpage
The National Crime Agency (NCA) is now leading the UK law enforcement response to the data breach, with specialist officers from the National Cyber Crime Unit (NCCU) working with the company to secure evidence. Due to the complexity of these enquiries, the investigation will take some time.
What should I do?
Read through the NCSC advice below and take any appropriate steps.
Anyone concerned about fraud or lost data should contact Action Fraud. Action Fraud’s online fraud reporting tool any time of the day or night, or call 0300 123 2040. For further information visit www.actionfraud.police.uk.
We also recommend that people are vigilant against any suspicious activity on their bank accounts and credit cards and contact their financial provider if they have concerns.
NCSC advice to customers
Attackers who have the stolen personal data may use it to approach customers, and trick them into revealing further personal information that attackers can use to harm you. Payment details may be used to carry out fraud or identity theft.
Be wary of phishing
Be particularly wary of unsolicited emails, phone calls or SMS messages asking you to disclose further personal details eg login information – especially if they claim to come from your bank/credit card provider. Such scams can be very convincing, and attackers may use your personal data to make them look even more realistic.
Genuine financial institutions will not ask you to reply to an email with personal information, or details about your account. If you contact them, use a phone number/email address you have looked up yourself, rather than one sent to you in the email – it may be false. For further information, look at NCSC guidance on the phishing threat following data breaches.
If you spot a suspicious email, report it to your chosen email provider. Report suspicious phone calls or SMS messages to Action Fraud.
Monitor your financial accounts
Monitor your financial accounts online or through statements for strange activity, such as transactions you do not recognise. If you do find something suspicious, report it immediately to your provider or Action Fraud.
You can check your credit rating quickly and easily online. You should do this every few months anyway, using a reputable service provider and following up on any unexpected or suspicious results.
Update your password
We recommend you change your password for any Ticketmaster UK accounts. You should also ensure that password is not used to log-in to any other accounts. You may want to consider using a password manager.
Take a look at our blog post for more information.
Advice for website administrators
Make a risk-based decision on including third-party JavaScript in your site. This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.
If practical to do, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.
In certain cases, some technical measures can also help prevent inclusion of compromised third-party resources:
- SRI (Sub-Resource Integrity) allows the browser to check a cryptographic hash of the script to ensure that your users are running the unaltered version. However, SRI will only work if the script is relatively static. If it changes regularly, the signature will no longer be valid and the script will not be loaded by users. Also, browser support for SRI is not universal
- CSP (Content Security Policy) allows you to whitelist locations where scripts can be loaded from. Several independent researchers have written that having a well-defined CSP in place would have blocked this attack
We recommend putting the above mitigating measures in place where practical, and while we recognise these will not necessarily protect end users in all cases they will reduce the chances of your website being compromised.
Advice for third-party JavaScript developers
- Implement robust change control for your code, including monitoring your codebase for unauthorised modifications, reviewing code contributions, and having a rapid takedown process in place for if a compromise is detected
- Where you offer hosted versions of your library, ensure that you have robust access control and logging in place for making changes to the library
- Consider supporting customers who wish to use Subresource Integrity (SRI). For example, providing numbered versions of libraries which remain static, and so have a static cryptographic hashes will enable customers to validate their integrity
Source: NCSC
