Ticketmaster, the global entertainment ticketing service, suffered a breach that may have exposed the personal and payment information of people who used its United Kingdom website, the company publicly disclosed Wednesday.
In its statement, Ticketmaster UK appears to lay blame on a third-party customer service chat application it used on its website. The company said that it identified malicious software one the application, made by Inbenta Technologies, that allowed attackers to access customers’ information. But Inbenta deflected blame back to Ticketmaster, saying that it deployed the chat app improperly.
“As a result of Inbenta’s product running on Ticketmaster International websites, some of our customers’ personal or payment information may have been accessed by an unknown third-party,” Ticketmaster says in its notice.
“Ticketmaster directly applied the script to its payments page, without notifying our team,” Torras said. “Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability.”
According to Inbenta, by applying the script to the payment page, Ticketmaster presented attackers with “a point of vulnerability that affects the capacity for web forms to upload files.”
Torras said that the attackers found the code and modified it in order to exfiltrate customer payment information.
“It is extremely important to note that this situation has nothing to do with any of Inbenta’s industry-leading AI and machine learning products and technology, which serve hundreds of customers on six continents. It is very specific to a particular customer implementation,” Inbenta says on an FAQ page about the incident.
Having analyzed the file systems involved in Ticketmaster’s use of the application, Inbenta says that none of its other customers are affected and that the issue has been resolved as of June 26, although Ticketmaster says it has disabled the Inbenta app across its websites.
Inbenta did not respond to a request for comment. Ticketmaster declined to comment, citing an ongoing investigation. The company says it’s working with security experts, the U.K.’s Information Commissioner’s Office, banks credit and card companies.
Ticketmaster says the breach affects U.K. customers who used the payment page between February and June 23, when the company discovered the compromise and disabled the Inbenta app. International customers who used the page between September 2017 and June 23 are also affected. All-in-all the company says less than 5 percent of its global customer base was affected. Customers in North America are not affected.
It’s not unheard of for breaches to occur via customer service chat apps. In April, 7.ai, another company that develops such apps, disclosed a breach that exposed the payment information of up to 100,000 Seas and Delta Airlines customers.
Apart from the public disclosure, Ticketmaster is notifying victims of the breach directly and offering them a year of free identity monitoring services. Victims are also being prompted to change their passwords.