Ticketmaster's U.K. breach shows risks of third-party code on websites
Ticket sales company Ticketmaster has warned customers in the U.K. that malicious code running on its website could have led to personal data and payment details being stolen.
On a special website the company has set up to inform its customers, Ticketmaster explains that the breach happened at Inbenta, whose software it uses to handle customer support and whose code was thus embedded on Ticketmaster’s website. Upon discovering the breach, Ticketmaster disabled Inbenta’s software throughout the site.
The breach, which appears to have affected only users of the company’s U.K. service, was discovered on Saturday, but the phrasing on the website suggests the malicious code may have been running for months.
However, there are a number of things websites can do to mitigate the risk. The first is to actively monitor the scripts running on the site and the changes made to them; in particular, site owners should look at what other scripts are called by those third-party scripts.
Finally, a site owner may want to consider whether running third-party code is necessary on all parts of the website. In particular, those pages on which users enter personal data may be best excluded from running any third-party code.
For Ticketmaster this advice obviously comes too late. The company urges its customers to check account statements for evidence of fraud or identity theft, while it also offers 12 months of free identity monitoring for affected customers.