In a blog post published today by Sophos' Naked Security blog, the online ticket retailer See Tickets has been suffering from the ill effects of a data breach between June 2019 and January 2022, when the activity was eventually stopped.
See Tickets prides itself on being one of the largest ticket retailer for events across the globe, with over 8,000 venues served and a figure of 20 million tickets sold per year.
However, the breach itself started on 25th June 2019 at the latest, which is when attackers implemented data stealing malware on the event checkout pages on See Tickets. As a result, the majority of personal information that was input to these pages is at risk, including names, addresses, and payment card details.
In April 2021, See Tickets was made aware of the attack by a third party, and began investigating alongside a yet unnamed cyberforensics firm. However, it took until 8th January 2022 for the activity to be shut down. On the 12th September 2022, See Tickets concluded that the attack "may have resulted in unauthorised access to payment card information," but didn't send the email communication until October, which means that it took See Tickets a total of 18 months to inform customers.
Anyone who has made a purchase from See Tickets since June 2019 should assume, even if you have not received an email directly from See Tickets, that your data is at risk, and should take appropriate action to protect yourself. The best action that can be taken at this time is to avoid any phishing emails that come in, and to monitor financial statements for the cards that were used to make the purchases.
Professionals operating websites like See Tickets should treat this type of attacker as an "active adversary" and take action, not just to remove the malware that was implanted into the systems, but to conduct a full review of configuration and operational changes since the initial attack, as bad actors will look to set up access routes to return (or sell to other parties) later in the event that the initial malware is found and removed.
Source: Naked Security