Unpacking the Recent Huge Ticketmaster Breach
In May 2024, news emerged about a Ticketmaster data breach that impacted over 560 million customers of the popular ticketing sales company. While companies of all sizes get their data compromised regularly, this incident was big news in not just the cybersecurity community but also the wider media due to its scale and the high-profile victim. But what exactly happened? Let’s unpack the 2024 Ticketmaster breach.
Ticketmaster Breach: What Happened?
On May 27th 2024, threat actors working as part of the ShinyHunters operation announced via a dark web forum that they’d stolen 1.3 terabytes of data belonging to Ticketmaster. This gang previously garnered a reputation for exfiltrating data from several companies during a prolific spell in 2020 and 2021. Stolen information was primarily about Ticketmaster customers, including names, addresses, emails, and even payment info.
Ticketmaster relies heavily on its digital infrastructure. In fact, most of the company’s ticket sales for events, matches, and gigs come from online channels via the Ticketmaster website and mobile app. The attack’s entry point was Snowflake, a third-party cloud-based data storage and analytics service that Ticketmaster uses to extract insights from vast volumes of data. Hackers gained access to an account using stolen credentials, which then led to sensitive data access and exfiltration.
Here we have a pertinent example highlighting third-party security risks and the transition of hackers from ransomware installations to pure extortion attacks. The ShinyHunters group demanded a $500,000 one-time fee for any prospective buyer of the data. It’s unclear whether the group is open to Ticketmaster paying to avoid its publication.
In an interesting recent development, one of the hackers anonymously spoke to Wired and outlined how the breach stemmed from accessing unencrypted usernames and passwords for Ticketmaster’s Snowflake accounts via a remote access trojan installed on an EPAM systems employee’s computer. EPAM Systems is a software engineering and digital services company. Rather shockingly, the hacker stated that the Snowflake accounts didn’t even have multi-factor authentication switched on. This best practice has been repeatedly drilled into public awareness, yet companies still neglect it.
It’s worth noting though that the fault does not lie explicitly with Snowflake here. While the incident does highlight third-party security risks, the issue stemmed from not properly securing accounts on third-party services, rather than any inherent security flaw with Snowflake.
Avoiding Similar Incidents
● Get a full inventory of all third-party digital services your company uses and keep track of user accounts on each service. Without this inventory, blindspots can easily go unnoticed, such as users who’ve left the company but still retain access to your digital infrastructure.
● Where the option exists, which it does for most services these days, switch on multi-factor authentication to prevent easily preventable mistakes that occur from user accounts being hacked via credential compromise and other password hacks.
● Encrypt sensitive data wherever it’s stored. With encrypted data, hackers can’t read the information which makes it practically useless to them.
● Enforce the principle of least privilege by ensuring that employees and systems have access only to the data necessary for their roles. Reducing the number of access points to sensitive information decreases the risk of unauthorized access and potential extortion.
● Participate in industry-specific cybersecurity forums and threat intelligence sharing platforms to keep aware of emerging threats, including new extortion tactics and threat groups. Definitely consider monitoring the dark web for discussions among hackers and for any mentions of your company or employees.
The Forensic Investigation
In a report sent to the United States Securities and Exchange Commission (SEC), Ticketmaster’s parent company Live Nation stated they’d enlisted the help of “industry-leading forensic investigators to understand what happened”. IT forensics plays a pivotal role in helping organizations identify how a data breach occurred. By examining digital artifacts and system logs, experts can trace the origin of the attack, whether it be through phishing emails, malware, compromised credentials (like the Ticketmaster case), or software vulnerabilities. Understanding the source of attacks helps close security gaps and prevent similar future incidents.
Understanding the scope and impact of a breach incident swiftly is also important. IT forensics enables you to determine which data hackers accessed or stole, including sensitive personal information, intellectual property, or financial data. This assessment helps in clarifying the potential consequences for your company and its customers, and in complying with any legal and regulatory reporting requirements.
DIESEC’s IT forensics service doesn’t just help with the aftermath of an incident. We get proactive with IT forensics and help you prevent incidents in the first place. IT forensics is often seen as a reactive measure activated in the wake of a cybersecurity incident. However, we’ll proactively examine your IT environment for signs and footprints indicating potential compromises of systems and user accounts. If you are concerned about the security of your company after the Ticketmaster breach, please reach out to us.