Ottawa Ticketmaster users were among millions hit by a major data breach

Article content

The email landed with a thud in the family account earlier this week.

Ticketmaster, the multi-billion dollar California-based ticket sales and distribution company, was advising us — as well as hundreds of millions of fellow subscribers around the world — of a severe data breach after an “unauthorized third party” obtained information from a cloud database at some point between April 2 and May 18.

Article content

It’s not SPAM. It’s not a scam. It’s definitely disconcerting.

What is Ticketmaster saying?

“The information,” Ticketmaster wrote, “may have included your name, basic contact information, and payment card information such as encrypted credit or debit card numbers and expiration dates.”

The email went on to say, “We are fully committed to protecting your information and deeply regret that this incident occurred.”

Some solace, that.

The mind wanders. Did it come from purchasing tickets to see the Senators, the Redblacks, to sing along at Bluesfest or to catch a play at the NAC? Regardless, it creates pause for deep concern here and everywhere.

So much of the entertainment world runs through Ticketmaster without much thought because of the relative simplicity of the online purchasing process.

But hackers, who often demand ransom in exchange for the information they claim to have successfully found while phishing online, have caused a major stir.

Is this the first Ticketmaster data breach incident?

Nope. This week’s public revelation by Ticketmaster comes on the heels of what happened with Ticketmaster parent company Live Nation Entertainment two months ago.

Article content

In a filing with the U.S. Securities and Exchange Commission in May, Live Nation said it was working with forensic investigators after finding “unauthorized activity” in a third-party cloud database and that a “criminal threat actor” was threatening to sell user data on the “dark web.”

A hacking group named ShinyHunters alleged that it had stolen the user data of more than 500 million Ticketmaster subscribers.

No, this isn’t a Tom Clancy thriller turned into a Tom Cruise movie. It’s non-fiction reality.

ShinyHunters has previously been associated with other data breach threats involving major companies, including AT&T and Microsoft.

Are the shows still going on?

Yes, but attention, Swifties. Earlier this week, the H4KMANAC account on X — formerly Twitter — claimed hackers had stolen 170,000 ticket barcodes that would have allowed them access to Taylor Swift concerts in the United States.

Rather swiftly, Ticketmaster chose to shake it off, responding that there is no risk because of ticket barcode protections.
”Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds,” Ticketmaster told CyberRisk Alliance. “This is just one of many fraud protections we implement to keep tickets safe and secure.”

Article content

What can customers do to protect themselves?

Cybercrime isn’t going to stop any time soon, especially with the advent of the additional tools created through Artificial Intelligence, according to Karen Eltis, a University of Ottawa law professor, who specializes in Cyber Security and Artificial Intelligence Law.

Indeed, Statistics Canada reports that in 2022, there were 74,000 cybercrimes reported to police, up from 71,700 in 2021 and 33,900 in 2018. The numbers are probably higher because many people don’t report the criminal activity.

Still, Eltis says one small step to stay ahead of cybercrime is for consumers to “minimize their digital footprint,” and to be more protective of their data.

“People have to understand the landscape and be very careful of their own information,” she said. “You don’t need to sign up for everything.”

Often, Eltis says, consumers don’t think twice when asked to give a birthdate or a postal code after making a purchase.
“Give as little information as possible. Of course, they need a credit card, but if you’re buying soap, why do you need to give that out? It’s a precious resource. Ask why is that relevant. Make sure you only give the minimum that’s needed and related to the transaction. Think about what you are putting out there.”

Article content

She also recommends changing passwords regularly — the longer a password, the harder it is for cryptanalysts to decode.
In addition, avoid using the same password when visiting different sites.

Other protection options include resisting prompts to store credit card information with companies themselves. The website HIBP — Have I Been Pwned — scours databases within hacker forums to determine if a particular email has been found.

How has Ticketmaster tried to alleviate consumers’ concerns?

In addition to advising Canadian customers to “remain vigilant” to protect against theft and fraud and by monitoring accounts for signs of “suspicious activity”, the company is offering a free service with TransUnion of Canada.

“Identity monitoring will look out for your personal data on the dark web and provide you with alerts for one year from the date of enrollment if your personally identifiable information is found online,” the email said.

Why is the Ticketmaster breach sending alarm bells around the world?

In addition to instilling a fair share of fear into the lives of Ticketmaster customers, data breaches can significantly destroy a company’s bottom line.

Article content

“It re-enforces that organizations really need to start taking cyber security more seriously,” said Eltis. “It’s also about the borderless nature of cybercrime. The legal landscape is different globally and that makes things increasingly messy and complex all over the world. Even Quebec law is different than other parts of Canada.”

Generally speaking, European companies face harsher penalties for data breach violations.

In the United Kingdom, the General Data Protection Regulation can fine a company “up to 20 million euros or four percent of total global turnover of the preceding fiscal year” if it’s deemed the company didn’t do enough to protect customer information.

In 2023, Ireland’s Data Protection Commission fined Meta (Facebook) $1.3 billion — with a b — for GDPR violations. A year earlier, China’s Didi Global was fined $1.19 billion by the country’s cybersecurity police for improper use of customer information.

“Organizations need to have robust plans in place to be proactive and adjust to the risk profile and it’s increasingly complicated,” said Eltis.

Article content

“When third parties are involved, more due diligence is necessary. Companies underestimate the chances of being hit, thinking it’s never going to happen to them. There is sometimes human error, there is sometimes a lack of attention to detail.”

The web is a wild world full of dark places and companies can’t afford to fool themselves amid all the noise. Eltis says it’s necessary for companies to lock all the front and back doors to access, not making themselves an easy target.

“I have a colleague who says organizations need to meditate in Times Square.”

kwarren@postmedia.com
X: Citizenkwarren

Article content