Got one of these and they don't tell you who the identity monitoring service is. Click on their link and it takes you to website a.pgtb.me to fill in details - never did a URL look more like a phishing attempt...
Ticketmaster gatecrash: Gig revelers' personal, payment info glimpsed by support site malware
Ticketmaster UK has warned punters that malware infected one of its customer support systems – and may have siphoned off their personal information and payment details. Anyone in Britain who bought, or tried to buy, a ticket from the biz between February and June 23 this year, and international customers who purchased, or …
COMMENTS
-
-
This post has been deleted by its author
-
Thursday 28th June 2018 10:12 GMT Anonymous Coward
Agreed - I flagged it as Phishing. The emails were sent out before there was any news coverage, or anything on the TicketMaster website.The a.pgbt.me website link when clicked from the email used http: not https: for the form to enter user data. It all seemed very strange. It was at that point I started thinking I was falling for a Phishing scam...
-
-
-
-
Wednesday 27th June 2018 21:55 GMT yoganmahew
Re: Coincidence?
Me too! This is from Ireland buying ticketmaster UK tickets.
And quite a panic'd affair it was too since the tickets require the original purchase card to accompany them.
Some questions too other than the above about what were Ticketmaster storing - what were they sending to the chatbot company? Everything? There's nothing that you agree to to have your details sent to a third party.
GDPR's first test case?
-
-
Wednesday 27th June 2018 19:12 GMT Anonymous Coward
I had my card used fraudulently a few weeks ago although I am really on the ball with security. I got this email today, so it is probably the culprit. Luckily I use unique email addresses and password for all my online accounts so I should be safe. I am at least glad I have a good idea where my card details were obtained.
-
-
Thursday 28th June 2018 10:12 GMT staggeringlywood
Re: Barclaycard were a little bit proactive.
Same here. I asked them why they were doing it but said they deal with industry partners etc. etc. - I thought it was to do with the Carphone data breach recently but evidently not. I have (had) both my debit and credit card stored on TM's servers but paid for tickets with my Barclaycard, one would hope that my debit card doesn't need replacing too as haven't bought with it for some time...
I was quite surprised about Barclaycard issuing a brand new card and card number but that would hint at the severity / massive balls up that TM have made, as it can't be that cheap to issue brand new cards for thousands of people.
-
-
Wednesday 27th June 2018 19:39 GMT Doctor Syntax
Let's see how the ICO deals with this under GDPR - although there may be a complication that the hack was in progress before. But it gives us chance to see what sort of levels of fines they're going to impose.
And given that the hack was on a US 3rd party supplier it's good to see the Privacy Shield is really doing its stuff.
-
Thursday 28th June 2018 08:24 GMT kain preacher
Doctor Syntax I know lots of people hate Privacy Shield but to me that's not the real issue as this could of easily happened if the the 3rd party was British based . What should be ragged on is why does a chat bot have access to the billing server and why were they storing the cv2 numbers.
-
-
-
Thursday 28th June 2018 06:52 GMT Anonymous Coward
Re: The always reliable 'Get-Out-Of-Jail-Free-Card'
I really don't buy how it's not their fault...
I trust ICO take a very close look at how things were stored and how they were accessed, if they were shared to anyone that passes an initial partner approval.
Also not mentioned, is this also affects Ticketmaster Ireland
I got two emails, from from UK, one from RoI.
-
-
-
Thursday 28th June 2018 08:15 GMT Seajay
The third party don't need the credit card details. However, the "chatbot" javascript from the third party will have been included in the ticketmaster webages. If that javascript coming from the third party is then hacked, it can basically do anything it wants on the ticketmaster page - including keylogging everything that happens and sending a copy to wherever the bad actors want it to go.
Ticketmaster's own processes for credit card details etc may be secure, but the third party code obviously wasn't
-
Thursday 28th June 2018 08:42 GMT steviebuk
Back in the 90s...
...while doing my HDC in Computing my old friend (who I haven't seen in years) Drew, created, for one of our big end of year assignments, a concert ticket program. He called it Ticketmaster*. I wonder if they are using his software still from back then :)
It was coded in Visual Basic.
*He used their name as he loved going to concerts and it was where he purchased his tickets from back in the day. Having never been to any, I'd thought he'd made the name up himself.
-
Thursday 28th June 2018 09:11 GMT $till$kint
Barclaycard also on the ball here
About 3 weeks ago I was notified of two suspicious transactions by BarclayCard; one for close on £1000 for events through another ticket sales company and one for car insurance (yes, really!)
The last transaction prior to these? Ticketmaster on 23rd February.
Smoking gun anyone?
It rather looks like the bad actors gathered data for at least 3 months before they swung into action and started selling the details. On the plus side, both the merchants in this case were keen to take action to cancel the purchases (invalidating tickets and insurance) and were proactive in referring the matter to their internal fraud teams and local police. Barclays had already put chargeback in place, but was nice to see the merchants taking an active stance.
Not often I say this, but beers for Barclays.
-
Thursday 28th June 2018 09:15 GMT werdsmith
There's usually a checkbox, TM have it - "Store my card information - for faster checkout next time"
What idiot checks that box? Absolutely nobody should ever check that box, storing payment information should be outlawed.
I got the notification email but I know I didn't check that box to store the card details, I never do. If this leads to any fraud then TM must have retained the information anyway. I use pre-load card which I add enough to cover purchases on the web and keep empty otherwise so damage limited.
-
Thursday 28th June 2018 10:10 GMT Anonymous Coward
I bought tickets to a gig back in March and a few weeks later had fraud showing on my card. Received the email this morning.
(Possibly) fortunately - Santander decided that the fraudulent transactions were my fault, and despite them finally acknowledging the fraud wasn't my fault, I changed banks so the card used is long gone.
-
Thursday 28th June 2018 10:32 GMT Tom Melly
Clear as mud
Hmm... my CC was used fraudulently a few weeks ago. My bank, FD, stopped it and issued a new card, but have been very reluctant to clarify what they know about the fraud, where it originated from, and how they spotted it, although a rep on the phone did drop a clue that I wasn't alone.
Still in the dark, and puzzled as to why the bank is being cagey.
-
-
Thursday 28th June 2018 10:51 GMT Tom Melly
Re: Clear as mud
I'm not asking for a forensic breakdown - just "X co. got hacked, we got passed a list of potentially affected cards, and monitored those accounts for unusual activity."
The bottom line is that I've no idea which company dropped the ball, and I would like the option of no longer using that service.
-
-
This post has been deleted by its author
-
-
Thursday 28th June 2018 10:49 GMT Lee D
Seriously.
Stop giving your call centre and back-office agents general purpose operating systems and/or permissions enough that they can get infected by any random passing malware. They don't need it.
Also, don't give them free reign of the database access. Rate-limit, dial down permissions and make them REQUEST info. Then if one person requests info on a million users, you know there's something wrong.
2018, and we still can't get the very basics of "need to know" and "minimal permission necessary" right.
-
Thursday 5th July 2018 16:24 GMT Sequin
I got the email a few days ago and today my bank phoned me to say that someone had tried to use my debit card details on a US site and they had flagged it as dodgy. I now have to wait until after the weekend for a new card, and will have to try to get some cash out of one of the few remaining physical branches tomorrow.