Online ticketing firm See Tickets has admitted that it did not remove malicious card-skimming code from its US website until nine months after it was initially detected, putting customer information at risk.
See Tickets first noticed unauthorised activity on its US website in April 2021 with a threat actor appearing to access event checkout pages. In response, the company hired a forensics firm to investigate further, and made efforts to cut the unauthorised activity.
However, it was not until January 2022 that the company fully ended the malicious activity. See Tickets has not explained why it took this long to take action, but in its consumer notification letter [PDF] stated that the efforts were undertaken in “multiple phases".
Customers who bought tickets through the See Tickets website between 25 June 2019 and 8 January 2022 may have been affected by the breach, with the potentially exposed data including names, addresses, and credit card information.
The time frame of the breach raises critical questions for the company, namely why it took so long to be detected, and why the security response then took another year to complete.
Some reports suggested that the number of affected customers in Texas alone could be greater than 90,000, which would suggest a far larger number of total victims when applied to See Tickets’ activities across the United States.
No indication has been given to suggest that See Tickets’ overseas customers have been affected by the breach, and the company has attempted to reach out to those involved directly.
Another nine months passed until 12 September, when the company came to the conclusion that the malicious activity had likely resulted in a data breach of sensitive customer information.
See Tickets states that it has worked closely with law enforcement, as well as card providers such as Visa, MasterCard, and American Express to identify transactions that may have been affected as a result of the activity.
“See Tickets is committed to safeguarding our customers’ personal information, and we value your privacy,” said the company in its letter.
“We have taken steps to deploy additional safeguards onto our systems, including by further strengthening our security monitoring, authentication, and coding.”
Given the nature of the breach, it is likely that the malicious code on the website was an exfiltration tool such as a ‘skimmer’. Such malware records details like credit card numbers used by customers during the checkout process.
With a large number of customers potentially involved in the attack, and the long period of compromise, this event could incur further legal interest in the months to come.
