At a glance.
- Ticket seller waits until final act to reveal user data breach.
- Study shows global increase in data breaches in Q3 2022.
Ticket seller waits until final act to reveal user data breach.
See Tickets, a UK ticketing service provider, has disclosed that a data breach potentially exposed customers’ payment card details, Bleeping Computer reports. The cybercriminals implanted a skimmer on order checkout pages to harvest the data of users purchasing tickets to events on the site. The breach was discovered in April 2021, at which time See Tickets launched a forensics investigation that revealed the malicious code had been present since June 2019, but it wasn’t until January 2022 that the skimmer was removed from the site. Last month, after consulting with American Express, Visa, and other credit card companies, See Tickets verified that the hackers may have accessed customer payment data. The company has not shared how many individuals were impacted, and though they’ve advised customers to be on the lookout for any suspicious activity on their cards, See Tickets has not offered any complimentary identity protection service for those impacted. Let’s hope the show was worth it.
Dr. Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, commented on the sheer duration of the compromise:
“The alleged two-year duration of the compromise raises a lot of questions. Modern malware, designed to steal credit card information from websites, becomes increasingly sophisticated in terms of obfuscation, making external vulnerability or malware scans futile. Most likely the malicious code was deeply hidden within a legitimate JS library hosted externally, being triggered only against the website visitors coming from specific countries or having certain device types to avoid detection.
"Nonetheless, a properly implemented continuous security monitoring and application security programs should have revealed the malicious code much faster than the alleged two-year period. It is also incomprehensible why the victims have not complained earlier or why their complaints did not reveal the problem. Whilst there is no dedicated privacy protection law in Montana, like the Californian CCPA, the legal consequences of the breach may be quite severe. Victims may initiate individual and class-action lawsuits, while the breached company’s right to process credit cards may possibly be suspended for violations of PCI DSS in addition to a monetary fine. Moreover, if EU residents or numerous residents from other US states figure among the victims, GDPR and other legislation may apply"
Study shows global increase in data breaches in Q3 2022.
A new study from Dutch cybersecurity company Surfshark says 108.9 million accounts were breached in the third quarter of 2022, a 70% increase over the previous quarter. “It's concerning to see data breaches rising again after a comparatively timid first half of the year,” said Agneska Sablovskaja, lead researcher at Surfshark. "Every second in the past three months, 14 accounts were leaked – all of them coming from different countries.” The country most impacted by breaches was Russia, followed by France, Indonesia, the US, and Spain. As Infosecurity Magazine notes, Russia’s place at the top of the list was no doubt impacted by its invasion of Ukraine. Ukraine, meanwhile, saw a 14% decrease in breached users since Q2. Although Russia experienced the greatest number of total breaches (22.3 million), France had the highest breach density, with an average of 212 leaked accounts per one thousand people. It's worth noting that Indonesia’s number of impacted individuals rose a whopping 1370% over last quarter, which no doubt played a part in its parliament’s decision to ratify the Personal Data Protection Act.