Monzo accuses Ticketmaster of ignoring security breach warnings

'Signs of breach' at Ticketmaster detected by start-up bank's anti-fraud team in early April

Start-up bank Monzo warned Ticketmaster of a suspected security breach back in April - but Ticketmaster claimed that its investigation had found nothing wrong.

The claims, made in a blog post by the bank's head of financial crime Natasha Vernier today, contradict Ticketmaster's explanation when it admitted the security breach yesterday.

"We spotted signs of this breach back in early April," Vernier claimed. The link was made after around 50 customers had contacted the bank complaining of potentially fraudulent activity on their accounts.

"After investigating, our Financial Crime and Security team noticed a pattern: 70 per cent of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster…

"Within four-and-a-half hours, the team rolled out updates to our fraud systems to block future transactions on other customers' cards that looked suspicious in a similar way.

"That evening, we reached out to other banks and the US secret services (who are responsible for credit card fraud in the US) to let them know what we'd seen and ask if they'd seen anything similar. At the time, they hadn't.

"Over the following weekend we saw attempted transactions on four of our customer's cards that our fraud system automatically blocked. Of those four cards, two had previously been used at Ticketmaster. The next week, we saw four more compromised cards. All four had been used at Ticketmaster."

On 12 April, Monzo contacted Ticketmaster to share the information that it had gathered, with Ticketmaster telling Monzo that it would conduct an internal investigation - but a week later it responded that it "had found no evidence of a breach" and added that "no other banks were reporting similar patterns".

In contrast, Ticketmaster claimed last night that it only became aware of the security breach on Saturday 23 June - almost two-and-a-half months after it had been informed of a breach by Monzo.

Ticketmaster has blamed a third-party customer support plug-in for the security breach, which spilled the credit card details of 40,000 customers.

While anyone who had purchased or attempted to purchase tickets from Ticketmaster UK, GetMeIn or TicketWeb websites from February this year are affected, Ticketmaster admits that it only discovered the security issue five days ago, on Saturday 23 June.

"On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites," the company admitted in a security advisory.

It continued, though, that fewer than five per cent of customers are affected by the breach, although customers in Australia and Ireland, according to some reports, may also be affected.

The advisory did not provide details about how the data was compromised, beyond asserting that Ticketmaster had security forenics teams "working around the clock" to "understand how the data was compromised.

Inbenta, the company that Ticketmaster claims was the source of the compromise, describes itself as a "global leader in AI". Ticketmaster had embedded Inbenta's technology on its websites.

The security breach will become the first major security breach in the UK to be investigated under the EU General Data Protection Regulation (GDPR), under which organisations can potentially be fined up to four per cent of turnover. The suggestion that Ticketmaster had been informed, but failed to act, increases the likelihood that Ticketmaster will be subject to a bigger fine.

Ticketmaster has offered customers that it believes have been affected free identity theft monitoring for 12 months, but all Ticketmaster customers have been advised to keep a close eye on bank and credit card statements.

Naturally, the industry has been quick to offer comment.

Ross Brewer, vice president of security software vendor LogRhythm, suggested that it demonstrated the need for organisations to "have tools in place that can identify anomalous activity from the outset. Threat detection tools… are intelligent enough to know what is legitimate behaviour on the network and what is not."

Migo Kedem, director of product management at SentinelOne, pointed out that it is not the first successful supply-chain attack perpetrated via an application, citing the CCleaner compromise last year.

"There are too many defence solutions relying on ‘who you are' rather than ‘what you do', so it becomes relatively easy to attack the supply chain of an application that was not designed to provide security," warned Kedem.

Computing has contacted both Ticketmaster and Inbenta Technologies for more details on the attack and will update the story as more news comes in.