In a statement from Caughey today, he confirmed the company’s digital team was “actively addressing the situation”.
“Due to the sensitive nature of the incident, we are unable to provide specific details at this time. However, our response team has worked swiftly to restore our systems, allowing us to reopen and resume trading on Friday morning. Our primary focus now is the continued protection of our stakeholders.”
Security experts say that while it seems no passwords were stolen in the alleged Ticketmaster breach, and only partial credit card data (the final four digits plus the expiry date), cyber criminals could use it to craft fake offers to Ticketmaster customers as they sought to harvest their remaining details.
Last week, ShinyHunters claimed to have stolen the following information on about 560 million Ticketmaster customers:
- Names
- Addresses
- Partial credit card data (last four digits plus expiry date)
- Phone numbers
- Ticketmaster purchasing history
A security analyst forwarded the Herald a screen grab of sample data that ShinyHunters has posted to the dark web, in the form of a half dozen CSV files (a spreadsheet format) covering 10,000 alleged Ticketmaster customers.
It includes details for two New Zealand customers – which the analyst said was about what he would expect, given that it was pitched as a representative sample of some half-billion files.
ShinyHunters – which recently tried, unsuccessfully, to extract a $30,000 ransom from MediaWorks for partial data about The Block NZ competition entrants – reportedly wants US$500,000 ($820,000) for the Ticketmaster alleged data, and is threatening to sell it if the ransom is not paid.
Ticketmaster’s parent responds
Ticketmaster did not respond to queries from media, including the Herald, and has not posted about the alleged breach on its New Zealand or global websites.
But its parent, Live Nation, broke its silence over the weekend with a May 31 (June 1 NZT) filing to the SEC (Securities and Exchange Commission) filing.
“On May 20, 2024, Live Nation identified unauthorised activity within a third-party cloud database environment containing company data [primarily from its Ticketmaster subsidiary] and launched an investigation with industry-leading forensic investigators to understand what happened.
“On May 27, 2024, a criminal threat actor offered what it alleged to be company user data for sale via the dark web. We are working to mitigate risk to our users and the company, and have notified and are co-operating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorised access to personal information.
“As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing.”
There has been speculation that cloud service provider Snowflake is the “third party” mentioned in the Live Nation filing, but in a company blog post, the firm denied any security breach.
ShinyHunters want US$500,000
Reports of the alleged breach first surfaced on Thursday NZT.
“The Office of the Privacy Commissioner hasn’t been notified by TicketMaster of a breach impacting New Zealanders,” a spokesman for the Privacy Commissioner told the Herald on Friday.
“Where an organisation has had a privacy breach that is likely to cause anyone serious harm, it is legally required to notify us and any affected persons as soon as they are practicably able to.
“As a guide, our expectation is that a breach notification should be made to our office no later than 72 hours after agencies become aware of a notifiable privacy breach.”
Ticketmaster did not immediately respond to a request for comment. The firm has not replied to requests for comment from various global media.
Publicity stunt?
Some cyber security experts say it’s possible there was no breach and the whole affair is a ShinyHunters publicity stunt after a recent setback on the heels of the failed MediaWorks ransom.
“It’s crucial to approach this incident with scepticism until more information is available, as the timing of the data being offered on the relaunched BreachForums site raises questions about its authenticity,” Toby Lewis, a threat analyst with cyber security firm Darktrace, told the Herald.
Earlier this month, the FBI, supported by international enforcement partners including the New Zealand Police, seized the BreachForums website used by ShinyHunters to trade stolen data – although Emsisoft threat analyst Brett Callow warned the forum had shown “cockroach-like resilience” and the arrest of one of its founders in 2022 and another in 2023.
“If confirmed, Ticketmaster must be transparent about the accessed data.
“Customers can protect themselves by changing passwords and monitoring their accounts, although this may be fruitless if the attackers still have access or if there is no breach in the first place,” Lewis said.
The separate analyst who told the Herald he had sighted evidence of New Zealand customers said it was not confirmed that files were authentic.
Either way, customers should be on their guard for fake offers. The key advice is to enable multi-factor authentication, which uses a text message or app to approve a log-on from a new device.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
