The personal information of Canadian Ticketmaster customers appears to have been stolen by hackers, according to a sample of the data shared with Global News.
Twelve files containing spreadsheets of data allegedly represent a small fraction of the Ticketmaster data stolen by infamous hacking group ShinyHunters. The group claimed early last week that it stole 1.3 terabytes of data, containing the personal information of 560 million customers.
The data — shared with Global News by an expert who has been granted anonymity for fear of legal action — amounts to just 37.5 megabytes, and appears to include the personal information of tens of thousands of people, including full names, phone numbers, email addresses, home addresses, partial credit card details and transaction details.
A preliminary analysis of the location data in the trove suggests that the vast majority of the data comes from customers in the United States. Canadians are the second-largest demographic group, followed by Mexicans. A small amount of data originates from Europe, Asia, Australia and Central and South America.
In the days following news of the hack, Ticketmaster did not comment publicly. Its parent company, Live Nation, acknowledged the potential data breach in a Friday SEC filing, reporting that it “identified unauthorized activity” in a third-party hosted database on May 20 and had launched an investigation “to understand what happened.”
A week later, on May 27, ShinyHunters listed the data for sale on the dark web for US$500,000, catapulting the story into the public eye.
“We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information,” Live Nation wrote in the Friday filing.
Ticketmaster and Live Nation have not responded to multiple emails from Global News regarding the data breach and whether Canadians’ data was leaked.
The Office of the Privacy Commissioner of Canada (OPC) has been in contact with Ticketmaster, but the office told Global News it has yet to receive a formal report notifying the agency of breached Canadian data.
“The OPC continues to remain engaged with Ticketmaster in order to determine next steps,” the office states.
Businesses like Ticketmaster, that are subject to Canadian privacy laws, must report breaches involving Canadian customers’ data when the breach poses a real risk of significant harm to the individual, in accordance with the Personal Information Protection and Electronic Documents Act.
“The Government of Canada is monitoring the situation and takes protection of privacy very seriously,” said the office of François-Philippe Champagne, the Minister of Innovation, Science and Industry, in a statement to Global News.
The data sample
Global News has partially verified the leaked data set by testing a random sample of the emails and found they were linked to Ticketmaster accounts. Global News decided to not take further measures to verify the information contained in the spreadsheets in order to use the personal information as minimally as possible for reporting purposes.
One of the files shared with Global News, called “SalesOrd,” had a comprehensive list of personal information including what appears to be customers’ full names, home addresses, postal codes, home countries, and email addresses. There were 10,000 entries in the spreadsheet, though only 5,682 entries included country data.
There are at least 527 Canadian home addresses contained in the spreadsheet, amounting to just over nine per cent of the complete entries. For the U.S., there are at least 4,880 addresses in the data set, amounting to over 85 per cent of the complete entries. For Mexico, there are at least 204 addresses.
The following countries all had at least one complete address listed in the spreadsheet: Argentina, Australia, Brazil, Switzerland, China, Germany, Spain, Great Britain, Guatemala, Israel, Italy, Japan, Luxembourg, the Netherlands, Peru, the Philippines, Slovakia and Turkey.
Since the data set is a small fraction of the alleged 1.3-terabyte trove, it’s unclear if this data is representative of the whole.
Another file, titled “SaleOrdDeluxeHDR,” included home addresses, cities, states and provinces, postal codes and phone numbers, but no names and email addresses. This file also had information regarding how many tickets had been purchased through Ticketmaster, along with the total purchase amount.
Filtering by postal code, Global News was able to identify at least 696 Canadian addresses. Comparing the postal codes in this file with the SalesOrd file showed minimal overlap, suggesting that a combined total of at least 1,214 unique Canadian addresses are contained in the data sample.
Additional addresses from countries that were found in this file but not the first include: Chile, Colombia, Singapore, Ireland, the Czech Republic and Portugal.
Since this file did not contain email addresses, Global News did not verify this data set in order to use the personal information as minimally as possible for reporting purposes.
Another file titled “PmtMethod” included partial credit card details of what appears to be Ticketmaster customers. This includes the type of credit card (Visa, Mastercard, Paypal, etc.), the last four digits of the credit card and the card’s expiry date.
Since this file did not contain email addresses, Global News did not verify this data set.
What to do if you’re concerned about your data
Canada’s privacy commissioner recommends that those concerned about their personal data being leaked in the Ticketmaster hack should change their account password, consider subscribing to credit monitoring services and be on the lookout for social engineering attacks.
“Social engineering is the practice of manipulating people in order to obtain confidential or sensitive data. This could include using stolen information to get someone to divulge more personal information,” the office writes.
In general, Canadians should use multi-factor authentication as much as possible to secure their online accounts and use different passwords for different websites.
Experts who spoke to Global News say the silver lining in the Ticketmaster breach is that it doesn’t appear that sensitive banking information was stolen, and that appropriate security measures were taken by Ticketmaster to conceal full credit card details. But when data breaches happen, scammers are known to come out of the woodwork. And they can leverage social engineering for harm, as the OPC warns.
According to Brett Callow, a threat analysis expert at cyber-security firm Emsisoft, the kind of data that appears to have been stolen can’t be easily used to commit identity fraud. However, this personal information “could potentially be aggregated with other information that is publicly available” through previous data breaches to be used for nefarious purposes.
The most pressing danger to Canadians, in Callow’s opinion, is that scammers, potentially unrelated to the hackers, could use news of the Ticketmaster breach to trick individuals concerned about their personal data.
“They will send out spam messages offering people free credit monitoring — ‘Sign up here, click the link,'” Callow notes. “They may tell people they’re entitled to compensation because of the Ticketmaster breach — ‘Click here to enter your banking information for an auto deposit.’
“(People) should be on the lookout for those type of things. Any text or email they receive. Don’t click the links. Go to the actual website of the organization instead.”
David Bradbury, the Chief Security Officer of Okta, a major company specializing in secure sign-ons and online authentication, warns Canadians to be “hyper-vigilant in this world we’re in.”
“As we see this proliferation of personal data that is emerging on the internet, it does make us all bigger targets for phishing attacks,” Bradbury says.
Hackers and scammers can “quickly and easily access lists of information about you, and can create compelling and interesting emails that are tailored towards you as a specific individual,” he notes. And with the advent of artificial intelligence tools, the ability of malicious actors to create “very well-worded and very relevant” communications only increases.
These scammers may use your leaked personal data, such as the last four digits of your credit card, to build trust and appear legitimate, “and by building that trust, they can attempt to convince you to perform actions that you wouldn’t usually perform,” Bradbury says.
“We need to be conscious that we live in a world where hackers are able to access our information freely through, sadly, the number of data breaches that have occurred,” he notes. “This is a new world we’re operating in where our personal information is no longer secret and protected. And in that world, we need to be very conscious that people may try to contact us, and try to perform harmful actions.”
How did the hack happen?
Live Nation reported to the SEC that it detected “unauthorized activity within a third-party cloud database environment containing Company data,” meaning the database that was allegedly accessed by the hackers was not hosted by Live Nation or Ticketmaster themselves.
A spokesperson for Ticketmaster, who did not provide their name, told TechCrunch that the illegally accessed database was hosted by Snowflake, a cloud-computing company that stores and analyzes enterprise data. Ticketmaster and Live Nation did not respond to a Global News email seeking confirmation on this.
Cybersecurity firm Hudson Rock published a now-deleted report claiming that it had evidence that the hackers used the stolen credentials of a single former Snowflake employee to gain access to Snowflake’s data environment, exposing the data of its customers.
Ticketmaster wasn’t the only Snowflake customer to be hacked. Information allegedly stolen from Santander Bank was put up for sale for US$2 million by ShinyHunters, the same group that claims they carried out the Ticketmaster hack.
Snowflake has disputed the report and released the results of an internal investigation it carried out with third-party cybersecurity firms CrowdStrike and Mandiant.
The investigation found no evidence of wrongdoing on Snowflake’s part and suggested that the attack on its customers was a “targeted campaign directed at users with single-factor authentication” and that the threat actors “leveraged credentials previously purchased or obtained through infostealing malware.”
Digital credentials are passwords or other means of authentication that confer access to a user.
Snowflake did find evidence that the hacker obtained the credentials of a Snowflake employee and was able to access a demo account, but the company says that no real personal information was contained in the demo environment.
“Demo accounts are not connected to Snowflake’s production or corporate systems,” the company explains. “The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems.”
According to experts, the results of this investigation suggest that the Ticketmaster and Santander Bank hack occurred because these companies did not have multi-factor authentication deployed across the board. This means that a hacker may have been able to exploit stolen credentials in order to login to these databases as a Ticketmaster or Santander Bank employee. Had multi-factor authentication been enabled on these accounts, the attack could have been prevented.
Ticketmaster and Live Nation did not respond to a Global News inquiry about whether the lack of multi-factor authentication was a factor in this breach.
According to the Verizon 2023 Data Breach Investigations Report, 86 per cent of data breaches that took place between Nov. 1, 2021, and Oct. 31, 2022, involved the use of stolen credentials.
“Multi-factor authentication absolutely is table stakes when it comes to securing yourself (and companies). We need to make sure that this is understood,” said Bradbury, Okta’s chief of security.
Threat analysis expert Callow also sees multi-factor authentication as a necessity.
“Cybersecurity is hard. It’s not necessarily easy to get everything right all of the time. However, most attacks succeed because of fairly basic security failings… such as not using multi-factor authentication everywhere it should be used, which it would seem Snowflake is suggesting may have been the root cause of the Ticketmaster incident.”
Callow also notes that last month, a White House national security official Anne Neuberger questioned if companies were engaging in “negligence” for not taking basic steps to protect personal data, such as using multi-factor authentication.
The comments came in the wake of the Change Healthcare cyber attack, that froze technology used to submit and process billions of insurance claims a year in the U.S. The CEO of Change Healthcare admitted in a U.S. Senate hearing that the attack occurred when hackers entered a server that lacked multi-factor authentication, the Associated Press reported.
Callow suggests that the Canadian government look into harsher regulatory penalties and institute legislative requirements for the cybersecurity measures that must be in-place within companies and organizations that handle sensitive, personal data.
“Lots of areas are legislated when it comes to health and safety requirements. And cybersecurity should be no different because it’s not just a financial problem. It’s also an issue that puts people’s lives at risk.”
Comments