Ticketmaster Data Breach: A Comprehensive Overview and Protection Guide - Cyber and Fraud Centre

Background on the Ticketmaster Data Breach

In May 2024, Ticketmaster, a subsidiary of Live Nation, confirmed a significant data breach that potentially impacted 560 million users. The breach involved unauthorised access to an internal database within a third-party cloud environment, identified on May 20th. Following this, on May 27th, a criminal group known as ShinyHunters offered the stolen data for sale on the dark web, demanding $500,000 for 1.3TB of data. This database reportedly includes names, addresses, emails, phone numbers, partial credit card details, and ticketing order information.

How the Breach Occurred

The breach was linked to a compromised employee account at Snowflake, a cloud storage company used by Ticketmaster. The attackers reportedly bypassed Okta’s secure authentication by using stolen credentials to access a Snowflake employee’s ServiceNow account. This allowed them to generate session tokens to exfiltrate data from multiple Snowflake customers.

Snowflake, in collaboration with cybersecurity firms CrowdStrike and Mandiant, is investigating the incident. While Snowflake disputes the hacker’s claims and suggests the breach resulted from industry-wide identity-based attacks using stolen credentials, it acknowledges increased threat activity targeting its customers.

Threat Tactics, Techniques, and Procedures (TTPs)

The TTPs used in this breach highlight several key strategies:

Credential Theft: Attackers used stolen credentials, likely obtained through information-stealing malware.
ServiceNow Exploitation: Gaining access to an employee’s ServiceNow account allowed attackers to move laterally within Snowflake’s systems.
Session Token Generation: By generating session tokens, attackers could maintain persistent access to exfiltrate data without further authentication barriers.
Dark Web Data Sale: Offering the stolen data on the dark web for a one-time sale reflects a monetisation strategy designed to quickly offload the compromised information.

Preventative Measures

To protect against similar breaches, businesses and individuals can implement the following measures:

Strengthen Authentication: Use multi-factor authentication (MFA) to add an extra layer of security beyond passwords.
Regularly Update Software: Ensure all systems and applications are up-to-date with the latest security patches.
Monitor Accounts for Suspicious Activity: Regularly review account activities for any unauthorised access or changes.
Educate Employees on Security Practices: Provide training on recognising phishing attempts and the importance of secure credential management.

Steps to Take if Affected by the Breach

If you suspect your information was compromised in the Ticketmaster breach, take the following steps:

Change Passwords: Immediately update passwords for your online accounts, ensuring they are strong and unique.
Monitor Financial Accounts: Keep a close eye on bank statements and credit card activity for any unauthorised transactions.
Consider Credit Monitoring Services: Use credit monitoring services to track changes in your credit report and detect potential fraud.
Report Suspicious Activity: Report any suspected fraudulent activity to your bank, credit card company, and if funds have been lost, report this to Police Scotland.