The concert ticket service known as Ticketfly has announced a data breach. While details are limited at this time, the number of users compromised is alarming. This cyber security breach will continue to evolve as more details are released. Ticketfly is one of the first organizations to experience a security breach since GDPR entered the stream.
Ticketfly’s parent company Eventbrite has disclosed that over 26 million Ticketfly users have had their personal data breached by a hacker exposing consumer datasets.The PII leaked includes names, home addresses, email addresses and phone numbers. The owner of the website ‘Have I been Pwned?’ Troy Hunt has stated that this breach is not disastrous since credit card and payment information was not captured in the breach.
Ticketfly’s data breach is front and center
Ticketfly’s site has been down since the announcement of the breach on Thursday evening, the site stated they were victims to a cyber attack. It was down in order to allow a full forensic investigation into the breach. Before the ticket vendor addressed the breach, a Ticketfly user tweeted that,
“Ticketfly must come clean that your data is compromised and still very much downloadable at this moment.”
This message from the hacker responsible was shared via CNET:
“A hacker who goes by ‘IShAkDz’ has taken credit for the attack. Before Ticketfly took down its website, the hacker left a taunting message across the service’s website: “Your security down, I’m not sorry. Next time I will publish database.”
The hacker, who also left an e-mail address, appeared to have a database with more than 4,000 spreadsheets holding people’s information, including email addresses, phone numbers, names and addresses.’
Further, the hacker shared with CNET that they asked for ransom from Ticketfly. IShAkDz stated that they wished to be paid exactly one bitcoin to repair the exploitation. One bitcoin is worth roughly $7,544. According to the hacker, Ticketfly ignored the ransom requests.
Since details are still limited, it’s difficult to discern exactly how the attacker gained entry, the location of those affected and for how long the ticket vendor was exposed. Ticketfly’s hacker could have entered into the system via an unpatched issue or an unknown vulnerability.
What about GDPR?
The true issue here is determining if GDPR will be relative; since the GDPR relates directly to any organization conducting business within or with EU consumers. The affected consumer PII details have not been released in their entirety. Ticketfly will have to wait and see if they are hit by any fines relating to GDPR. GDPR has already made an appearance since its’ inauguration on May 25th.
Follow the Ticketfly cyber security breach to learn more and see if GDPR surfaces. It’s not too late to become GDPR compliant. Act now before you end up in news headlines. Don’t miss a blog post. Sign up for the e-newsletter.