Alleged Ticketmaster hack: Privacy Commissioner says still no notification, expert questions if it even happened

Photo / 123rf

It is still not clear if an alleged hack of global ticket giant Ticketmaster included any New Zealand customer data - and despite a clutch of headlines, some cybersecurity experts are questioning if it even happened.

Hacker group ShinyHunters yesterday claimed to have the following information on about 560 million Ticketmaster customers:

• Names
• Addresses
• Partial credit card data (last four digits plus expiry date)
• Phone numbers
• Ticketmaster purchasing history

The group - which recently tried, unsuccessfully, to extract a $30,000 ransom from MediaWorks for partial data about The Block NZ competition entrants - reportedly wants US$500,000 ($820,000) for the Ticketmaster data.

Reports of the alleged breach first surfaced yesterday.

“The Office of the Privacy Commissioner hasn’t been notified by TicketMaster of a breach impacting New Zealanders,” a spokesman for the Privacy Commissioner said.

“Where an organisation has had a privacy breach that is likely to cause anyone serious harm, it is legally required to notify us and any affected persons as soon as they are practicably able to.

“As a guide, our expectation is that a breach notification should be made to our office no later than 72 hours after agencies become aware of a notifiable privacy breach.”

Ticketmaster did not immediately respond to a request for comment. The firm has not replied to requests for comment from various global media.

Publicity stunt?

Some cybersecurity experts say it’s possible there was no breach and the whole affair is a ShinyHunters publicity stunt after a recent setback on the heels of the failed MediaWorks ransom.

“It’s crucial to approach this incident with scepticism until more information is available, as the timing of the data being offered on the relaunched BreachForums site raises questions about its authenticity,” Toby Lewis, a threat analyst with cybersecurity firm Darktrace, told the Herald.

Earlier this month, the FBI, supported by international enforcement partners including the NZ Police, seized the BreachForums website used by ShinyHunters to trade stolen data - although Emsisoft threat analyst Brett Callow warned the forum had shown “cockroach-like resilience” and the arrest of one of its founders in 2022 and another in 2023.

“If confirmed, Ticketmaster must be transparent about the accessed data.

“Customers can protect themselves by changing passwords and monitoring their accounts, although this may be fruitless if the attackers still have access or if there is no breach in the first place,” Lewis said.

Others say the partial data that’s allegedly been stolen could be used to concoct fake “Ticketmaster” offers.

Either way, customers should be on their guard for fake offers. The key advice is to enable multi-factor authentication, which uses a text message or app to approve a logon from a new device.

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.