Tick­et­mas­ter ‘failed to act’ on breach fears

The Daily Telegraph - Business - - Technology Intelligence - By James Cook

TICK­ET­MAS­TER has been ac­cused of a “frus­trat­ing” fail­ure to act on a data breach, de­spite be­ing warned about it sev­eral months ago.

The ticket sell­ing web­site ad­mit­ted on Wed­nes­day that in­for­ma­tion about its cus­tomers had been stolen in a cy­ber at­tack on one of its sup­pli­ers.

But Bri­tish chal­lenger bank Monzo said it had in­formed Tick­et­mas­ter of a se­ries of sus­pi­cious trans­ac­tions in April. The UK’s data watch­dog, the In­for­ma­tion Com­mis­sioner’s Of­fice, said it was in­ves­ti­gat­ing the breach and that it could po­ten­tially fall un­der new data pro­tec­tion laws that al­low for mul­ti­mil­lion-pound fines.

Monzo chief ex­ec­u­tive Tom Blom­field said that his com­pany in­formed the web­site of a po­ten­tial breach in early April af­ter notic­ing that many cus­tomers who had used Tick­et­mas­ter had fraud­u­lent pur­chases us­ing their cards.

Mr Blom­field said that Monzo started notic­ing a rise in fraud­u­lent trans­ac­tions on April 6. Around 70pc of those trans­ac­tions came from peo­ple who had shopped at Tick­et­mas­ter.

Tick­et­mas­ter’s se­cu­rity team vis­ited Monzo’s Lon­don of­fice on April 12 but con­cluded that there was no breach, Mr Blom­field said.

Monzo de­cided to take the “quite ex­treme step” of re­plac­ing around 6,000 cards of peo­ple who had shopped at Tick­et­mas­ter. The cost of re­plac­ing those cards to Monzo is be­tween £20,000 and £30,000. Tick­et­mas­ter only dis­closed that it had suf­fered a data breach on Wed­nes­day, over two months af­ter Monzo said it in­formed the com­pany of a po­ten­tial breach.

Tick­et­mas­ter said that it had found “ma­li­cious soft­ware” on the web­site of one of its sup­pli­ers on June 23. It said that less than 5pc of its cus­tomers had been af­fected by the breach.

The BBC re­ported that up to 40,000 UK Tick­et­mas­ter ac­counts may have been af­fected. How­ever, Mr Blom­field’s com­ments raise ques­tions about the speed of Tick­et­mas­ter’s re­sponse to sug­ges­tions that its cus­tomers’ data had been stolen.

Tony Pep­per, chief ex­ec­u­tive of data se­cu­rity com­pany Egress, said that “there are go­ing to be a few eye­brows raised” fol­low­ing Monzo’s com­ments about Tick­et­mas­ter’s de­lay in re­port­ing the breach.

The new Gen­eral Data Pro­tec­tion Reg­u­la­tion means com­pa­nies must dis­close data breaches to reg­u­la­tors within 72 hours of learn­ing of the is­sue.

The In­for­ma­tion Com­mis­sioner’s Of­fice said it was look­ing into the tim­ing of the breach. A spokesman said that “or­gan­i­sa­tions have a le­gal duty to en­sure that peo­ple’s per­sonal in­for­ma­tion is held se­curely; we have been made aware of an is­sue con­cern­ing Tick­et­mas­ter and will be mak­ing en­quiries”.

Tom Blom­field, chief ex­ec­u­tive of Monzo, said his bank had raised con­cerns about a pos­si­ble Tick­et­mas­ter breach

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.