There have been major developments in two cyber security attacks.
Ticketmaster has finally admitted some kind of cyber incident took place, after a hack – allegedly exposing customer data – was first reported last Thursday
There have been major developments in two cyber security attacks.
Ticketmaster has finally admitted some kind of cyber incident took place, after a hack – allegedly exposing customer data – was first reported last Thursday NZT.
A cyber security analyst tells the Herald he has sighted evidence that New Zealanders were among those affected in the apparent breach of the global ticket giant’s systems, which hacker group ShinyHunters claims to have carried out.
Meanwhile, a second hacker group, LockBit, has posted to the dark web, claiming it has Smith & Caughey’s finance, HR, accounting, management and IT department data for sale – with a June 4 deadline for offers (although hackers’ deadlines are frequently reset if no bidders step forth).
The department store, which is closing after 144 years, said on Thursday that it had fallen victim to a major cyber attack. “Our server and retail operations systems have been crypto-locked,” chairman Tony Caughey said.
In a statement from Caughey today, he confirmed the company’s digital team was “actively addressing the situation”.
“Due to the sensitive nature of the incident, we are unable to provide specific details at this time. However, our response team has worked swiftly to restore our systems, allowing us to reopen and resume trading on Friday morning. Our primary focus now is the continued protection of our stakeholders.”
Security experts say that while it seems no passwords were stolen in the alleged Ticketmaster breach, and only partial credit card data (the final four digits plus the expiry date), cyber criminals could use it to craft fake offers to Ticketmaster customers as they sought to harvest their remaining details.
Last week, ShinyHunters claimed to have stolen the following information on about 560 million Ticketmaster customers:
A security analyst forwarded the Herald a screen grab of sample data that ShinyHunters has posted to the dark web, in the form of a half dozen CSV files (a spreadsheet format) covering 10,000 alleged Ticketmaster customers.
It includes details for two New Zealand customers – which the analyst said was about what he would expect, given that it was pitched as a representative sample of some half-billion files.
ShinyHunters – which recently tried, unsuccessfully, to extract a $30,000 ransom from MediaWorks for partial data about The Block NZ competition entrants – reportedly wants US$500,000 ($820,000) for the Ticketmaster alleged data, and is threatening to sell it if the ransom is not paid.
Ticketmaster did not respond to queries from media, including the Herald, and has not posted about the alleged breach on its New Zealand or global websites.
But its parent, Live Nation, broke its silence over the weekend with a May 31 (June 1 NZT) filing to the SEC (Securities and Exchange Commission) filing.
“On May 20, 2024, Live Nation identified unauthorised activity within a third-party cloud database environment containing company data [primarily from its Ticketmaster subsidiary] and launched an investigation with industry-leading forensic investigators to understand what happened.
“On May 27, 2024, a criminal threat actor offered what it alleged to be company user data for sale via the dark web. We are working to mitigate risk to our users and the company, and have notified and are co-operating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorised access to personal information.
“As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing.”
There has been speculation that cloud service provider Snowflake is the “third party” mentioned in the Live Nation filing, but in a company blog post, the firm denied any security breach.
Reports of the alleged breach first surfaced on Thursday NZT.
“The Office of the Privacy Commissioner hasn’t been notified by TicketMaster of a breach impacting New Zealanders,” a spokesman for the Privacy Commissioner told the Herald on Friday.
“Where an organisation has had a privacy breach that is likely to cause anyone serious harm, it is legally required to notify us and any affected persons as soon as they are practicably able to.
“As a guide, our expectation is that a breach notification should be made to our office no later than 72 hours after agencies become aware of a notifiable privacy breach.”
Ticketmaster did not immediately respond to a request for comment. The firm has not replied to requests for comment from various global media.
Some cyber security experts say it’s possible there was no breach and the whole affair is a ShinyHunters publicity stunt after a recent setback on the heels of the failed MediaWorks ransom.
“It’s crucial to approach this incident with scepticism until more information is available, as the timing of the data being offered on the relaunched BreachForums site raises questions about its authenticity,” Toby Lewis, a threat analyst with cyber security firm Darktrace, told the Herald.
Earlier this month, the FBI, supported by international enforcement partners including the New Zealand Police, seized the BreachForums website used by ShinyHunters to trade stolen data – although Emsisoft threat analyst Brett Callow warned the forum had shown “cockroach-like resilience” and the arrest of one of its founders in 2022 and another in 2023.
“If confirmed, Ticketmaster must be transparent about the accessed data.
“Customers can protect themselves by changing passwords and monitoring their accounts, although this may be fruitless if the attackers still have access or if there is no breach in the first place,” Lewis said.
The separate analyst who told the Herald he had sighted evidence of New Zealand customers said it was not confirmed that files were authentic.
Either way, customers should be on their guard for fake offers. The key advice is to enable multi-factor authentication, which uses a text message or app to approve a log-on from a new device.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
'We're so excited': Ryan Bridge speaks out on a rollercoaster six months and a new future.