Kiwis appear caught in Ticketmaster 'hack', alleged Smith & Caughey data for sale on dark web shows

Major developments have taken place in two major cybersecurity attacks.

Ticketmaster has finally admitted that some sort of cyber incident had taken place, after a hack – allegedly exposing customer data – was first reported to the NZT last Thursday.

A cybersecurity analyst tells Heard it found that New Zealanders were among those affected by the apparent breach of the global ticket giant's systems, which hacker group ShinyHunters claims to have carried out.

Meanwhile, a second hacker group, LockBit, posted on the Dark Web claiming it had Smith & Caughey's finance, HR, accounting, management and IT data for sale – with a deadline for June 4 deals (although pirate deadlines are often fixed). (refused if no bidder comes forward).

The department store, which is closing its doors after 144 years, said Thursday it had been the victim of a major cyberattack. “Our server and retail operations systems have been crypto-locked,” said President Tony Caughey. Caughey has been contacted for comment.

Security experts say that while it appears no passwords were stolen in the alleged Ticketmaster breach, and only partial credit card data (the last four digits plus the date of expiration), cybercriminals could use them to craft fake offers to Ticketmaster customers as they sought to harvest information. their remaining details.

Last week, ShinyHunters claimed to have stolen the following information from approximately 560 million Ticketmaster customers:

A security analyst provided the Herald with a screenshot of sample data that ShinyHunters posted on the dark web, in the form of half a dozen CSV files (a spreadsheet format) spanning 10,000 alleged Ticketmaster customers.

It includes details of two New Zealand clients – which the analyst said was what he expected, given it was a representative sample of half a billion records .

ShinyHunters – who recently unsuccessfully attempted to extract a $30,000 ransom from MediaWorks for partial data on The Block NZ competition entrants – reportedly demanded US$500,000 ($820,000) for alleged data from Ticketmaster and would threaten to sell them if the ransom is not paid. .

Ticketmaster parent responds

Ticketmaster has not responded to media questions, including from the Herald, and has not published information about the alleged breach on its New Zealand or global websites.

But its parent company, Live Nation, broke its silence this weekend with a May 31 (June 1 NZT) filing with the SEC (Securities and Exchange Commission).

“On May 20, 2024, Live Nation identified unauthorized activity within a third-party cloud database environment containing corporate data (primarily from its Ticketmaster subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.

“On May 27, 2024, a criminal actor offered for sale what he claimed to be company user data via the dark web. We are working to mitigate risks to our users and the company, and have notified and are cooperating with law enforcement. Where applicable, we also notify regulatory authorities and users of any unauthorized access to personal information.

“As of the date of this filing, the incident has not had, and we do not believe is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results. operations We continue to assess risks and our remediation efforts continue.

There has been speculation that cloud service provider Snowflake is the “third party” mentioned in the Live Nation filing, but in a company blog post the company denied any security breaches.

The ShinyHunters want $500,000

Reports of the alleged breach first surfaced on Thursday NZT.

“The Office of the Privacy Commissioner has not been informed by TicketMaster of a breach affecting New Zealanders,” a spokesperson for the Privacy Commissioner said. Herald Friday.

“When an organization has suffered a privacy breach that could cause serious harm to anyone, they are legally required to notify us and everyone affected as soon as they are practically able to do so.

“As a guide, we expect a breach notification to be made to our office no later than 72 hours after agencies become aware of a notifiable privacy breach.”

Ticketmaster did not immediately respond to a request for comment. The company did not respond to requests for comment from various global media outlets.

Publicity stunt?

Some cybersecurity experts say it's possible that there was no breach and that the whole affair was a publicity stunt by ShinyHunters after a recent setback in the wake of the failed MediaWorks ransom.

“It is crucial to approach this incident with skepticism until more information becomes available, as the timing of the data offered on the relaunched BreachForums site raises questions about its authenticity,” said Toby Lewis, threat analyst. within the cybersecurity company Darktrace. Herald.

Earlier this month, the FBI, backed by international law enforcement partners including New Zealand Police, seized the BreachForums website used by ShinyHunters to trade stolen data – although the threat analyst of Emsisoft, Brett Callow, warned that the forum had shown “cockroach-like resilience” and that the arrest of one of its founders in 2022 and another in 2023.

“If confirmed, Ticketmaster must be transparent about the data accessed.

“Customers can protect themselves by changing their passwords and monitoring their accounts, although this may prove unnecessary if attackers still have access or there is no breach in the first place,” said Lewis.

The separate analyst who told the Herald he had seen evidence from New Zealand customers and said it was not confirmed that the files were genuine.

Regardless, customers should be wary of fake offers. The key tip is to enable multi-factor authentication, which uses a text message or app to approve a login from a new device.

Chris Keall is a member of the Herald's business team based in Auckland. He joined the Herald in 2018 and is technology editor and senior business editor.