Ticketmaster has identified ‘malicious software’ hosted by a third-party, Inbenta Technologies, that may have exposed its customers’ data. According to the BBC, the vulnerability may have affected up to 40,000 of its customers.
In an announcement on its website, Ticketmaster claims it identified the problem on 23rd June, at which point it disabled the customer support product provided by Inbenta Technologies.
The General Data Protection Regulation, the EU’s new far-reaching regulation to protect EU citizens’ personal data, came into force on 25th May.
The data potentially exposed includes payment details and other personal data including names, email addresses, addresses, telephone number and login details.
The incident may affect customers in the UK who purchased, or attempted to purchase, tickets between February and June 23rd, as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23rd, 2018.
Ticketmaster states it has contacted affected customers and that customers in North America are unaffected. It has also informed relevant authorities, however the UK’s Data Protection Authority, the Information Commissioner’s Office, is yet to release a statement on the incident.
It advises that all affected customers change their passwords when they next login to their accounts. At this stage, it’s unclear how the data was compromised.
In response to a tweet posted on Ticketmaster’s official Twitter account, a number of Twitter users have claimed unauthorised transactions have been processed from their bank accounts while some have criticized the organization for its response time.
One Twitter user stated, “I’m absolutely appalled. Phone call this morning from my banks fraud team to say someone used my details to book an expensive holiday!”, while another stated, “They were aware of this major breach 4 days ago and only informed us today. Shows how much they care about their customers”.
Organizations found in contravention of the General Data Protection Regulation can face fines of up to 20 million EUR or 4 percent of annual revenue, whichever is higher.