“The Office of the Privacy Commissioner hasn’t been notified by TicketMaster of a breach impacting New Zealanders,” a spokesman for the Privacy Commissioner said.
“Where an organisation has had a privacy breach that is likely to cause anyone serious harm, it is legally required to notify us and any affected persons as soon as they are practicably able to.
“As a guide, our expectation is that a breach notification should be made to our office no later than 72 hours after agencies become aware of a notifiable privacy breach.”
Ticketmaster did not immediately respond to a request for comment. The firm has not replied to requests for comment from various global media.
Publicity stunt?
Some cybersecurity experts say it’s possible there was no breach and the whole affair is a ShinyHunters publicity stunt after a recent setback on the heels of the failed MediaWorks ransom.
“It’s crucial to approach this incident with scepticism until more information is available, as the timing of the data being offered on the relaunched BreachForums site raises questions about its authenticity,” Toby Lewis, a threat analyst with cybersecurity firm Darktrace, told the Herald.
Earlier this month, the FBI, supported by international enforcement partners including the NZ Police, seized the BreachForums website used by ShinyHunters to trade stolen data - although Emsisoft threat analyst Brett Callow warned the forum had shown “cockroach-like resilience” and the arrest of one of its founders in 2022 and another in 2023.
“If confirmed, Ticketmaster must be transparent about the accessed data.
“Customers can protect themselves by changing passwords and monitoring their accounts, although this may be fruitless if the attackers still have access or if there is no breach in the first place,” Lewis said.
Others say the partial data that’s allegedly been stolen could be used to concoct fake “Ticketmaster” offers.
Either way, customers should be on their guard for fake offers. The key advice is to enable multi-factor authentication, which uses a text message or app to approve a logon from a new device.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.