Inbenta, blamed for Ticketmaster breach, admits it was hacked

Updated: The company's chief executive said a hack of its own systems led to Ticketmaster's breach.
Written by Zack Whittaker, Contributor

Ticketmaster is believed to be the only company affected by the Inbenta security incident. (Image: file photo)

A support chat tool, used to help dozens of major websites interact with customers, has been blamed for a security breach at Ticketmaster.

One of the code libraries built by Silicon Valley-based tech firm Inbenta, which powers Ticketmaster's customer support agent, was sending payment data to an unknown third-party on customers who were buying tickets.

Inbenta chief executive Jordi Torras confirmed the security incident in a statement Thursday, but said that no other customers are at risk.

"It has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements," said Torras.

"The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat," he said.

Read also: Snapchat adds concert ticket buying - CNET

He added that "no other customers other than Ticketmaster were affected."

In an email, Torras said that hackers had targeted Inbenta's front-end servers, where the code libraries used by Ticketmaster were stored.

"The attacker exploited a number of vulnerabilities that allowed the file to be modified," said Torras. "The first part of the attack consisted of exploiting the 'file upload' capability of the web server. We have since removed that capability."

"We are still working with experts to completely understand the process and the attack used," he said.

Torras, who apologized for the Ticketmaster breach, said that the company is working with a security company to understand the breach.

It took the company several hours to clarify that Inbenta was the source of the code compromise, after the company's extended statement failed to confirm or deny a breach of its own systems.

News of the code compromise was first revealed Wednesday, after Ticketmaster, which used the support tool on its site, confirmed the security incident.

"As a result of Inbenta's product running on Ticketmaster International websites, some of our customers' personal or payment information may have been accessed by an unknown third-party," said Ticketmaster's dedicated support page, set up following the discovery of the breach.

"Forensic teams and security experts are working around the clock to understand how the data was compromised," the page said.

Ticketmaster said customer names, addresses, email addresses, phone numbers, payment details, and login details may have been stolen.

Read also: 8 steps to take within 48 hours of a data breach - TechRepublic

The ticket-selling giant said Wednesday that international customers who bought tickets between September 2017 and June 23, 2018 -- when the malicious code was found -- may be affected.

It's reported that as many as 40,000 UK-based customers who bought tickets between February 2018 and June 23, 2018 may also have been affected.

But Ticketmaster said less than 5 percent of its global customer base was affected by the security incident. Customers in North America were not affected.

Monzo, a UK mobile-only bank, said in a lengthy statement Thursday that it first found evidence of a Ticketmaster breach in April after several customers reported fraud on their cards. The ticket-selling giant began an internal investigation after Monzo reached out.

From fonts to complex code libraries, it's not uncommon for websites to rely on third-party code, hosted on other sites and services, to support their own. But they present a single point of failure, which, if breached, can affect every site that the code is loaded on.

"For the past few years companies have seen third party JavaScript libraries be targeted -- that is, on their payment page they embed third party services, for example AI chatbots," said Kevin Beaumont, a security researcher.

"Attackers have been targeting the third parties, modifying JavaScript to quietly send card payments to the attackers. It is creating a loophole as companies are investing heavily in cybersecurity, policies, encryption and following PCI standards -- but all it takes is a single third party JavaScript library to be breached for the whole chain to fall apart," he said.

In an effort to minimize the damage to its public image, Inbenta began scrubbing its website of any reference to its customers -- a once-prominent tab on its main page.

Although Inbenta said no other customers were affected, Inbenta currently serves its chat software to several major corporate customers, including gym class scheduler Mindbody, ticket site StubHub, and mobile game revenue platform Chartboost. ZDNet reached out to those customers, as well as Franklin Covey, Schlage, and Stubhub, among others.

Read also: Dixons Carphone hit by huge data breach

None of the companies -- except Skyscanner -- responded.

"We have been reassured by [Inbenta] that we haven't been impacted," said Lisa Imlach, a spokesperson for Skyscanner.

It's not the first time third-party code has compromised other sites.

Online customer service software 247.Ai revealed earlier this year that it had been compromised during a two-week period late last year. The company's software was installed by -- and impacted -- Best Buy, Delta, and Sears, and other major retailers.

Others, including American Express, said they were unaffected by the breach.

Editorial standards