Country briefing exerts and analysis from KCS Group
Shoppers on the Internet are not just at risk from hackers – they can be hit by uncorrected errors, too. A story breaking in recent days has been that of concert-goers, seeking to buy tickets to Adele’s 2016 tour, being shown personal and financial data belonging to other prospective ticket-holders. The exact information varies in each case, but either personal identifiers, credit card information, or both, have appeared in ‘shopping baskets’ when users try to pay.
The Adele ticket sale was organised by promoter Songkick, which asserted in a statement that ‘there was no evidence that information [viewable] included credit card numbers’. This would seem to be at odds with customer experience who regularly reported seeing financial data and Songkick updated its statement to affirm that ‘limited account information’ had been viewable.
The security concerns over this are immediate and significant. Multiple users reported immediately deleting information once it became clear that it did not belong to them, but it is foolish to rely on the good graces of all potential customers. It would take just one malicious actor to take this information and act on it. Even one security breach of this nature could be reputationally devastating to Songkick.
It appears that this was an issue with the coding of the website which permitted information to skip through the insecure gaps and be displayed to other users. One would expect that this is something that the ticket-selling website would have spotted earlier, given that their business is entirely founded upon the safe and secure selling of tickets. Songkick claim that the problem was due to excessive demand for Adele’s tickets but this is absolutely not the core problem. If the website had been coded properly in the first place, this unwanted publicising of danger could not have occurred.
Moreover, this was not a ‘hack’ in the truest sense of the word. The coding error was inherent within the website and allowed personal data to be displayed entirely by mistake. This is perhaps even more worrying than if the ticket sale had been explicitly targeted – it could have happened at any time, to any person. It also highlights once again the worrying trend that one does not need to be a skilled hacker in order to benefit from cyber-crime.
What could have been done with the information? In the hands of a bad actor, it could have been copied and used for personal ends. Or it could have been posted for sale on the deep web, where personal information of any kind is gold-dust to criminal elements. Neither possibility is likely to endear Songkick to current and future users. It should also be remembered that a hack doesn’t happen overnight. Cyber criminals spend months researching their target before striking.
This personal data breach has not yet been reported to have resulted in any financial/data theft, but this does not recuse the initial fault. The two main ‘talking points’ to have emerged – over the extreme good fortune for Songkick that the data breach has so far not been directly damaging to customers – are firstly that this is further proof that hacking is not a pre-requisite for a data breach, and secondly that even the most innocuous personal identifier can be of use to cyber-criminals in the modern world of crime. It is hoped that purchase platforms of all types will learn from this flaw, although there is no guarantee that such a mistake will not happen again. Meanwhile the genuine bad actors may choose to zero in on the ticketing and entertainment industry, knowing that there is such a strong demand for certain events that they could make millions in a single day.
Adele is used to sending the Internet into a meltdown, but one would hope that it would not be over a security breach like this.
Source: KCS Group
Read more article by and about KCS: https://www.kcsgroup.com/2015/