The Two and a Half Years See Tickets Web-Skimming Attack Didn’t Need to Happen!

Share article
twitter linkedin medium facebook

All online retailers are like honeypots to cyber criminals, and ticket retailers are no exception. Customers share their payment details and identifying information with the expectation that the companies involved will protect their money and their data as if it were their own. But not all of them are as careful as they should be, and the See Tickets web skimming attack is a sobering example of what can happen when companies don’t make their supply chain security watertight. 

It seems surprising, not to mention disturbing, that a popular, well-established business owned by Vivendi SE, a large French media conglomerate, could allow a breach of its customers’ credit card details to carry on for more than two and a half years (!), but that’s what happened.

The See Tickets web skimming attack began on June 25, 2019, but it was not discovered until April 2021. Even then, the company did not completely shut down unauthorized activities arising from the breach until January 8, 2022. It then took them a further eight months to understand exactly which payment card details had been exposed. It isn’t known how many individuals were affected in total, but it’s known that there were 90,000 victims just in the state of Texas.

The Minimum Compliance Approach

One security consultant, Jim Seaman, commenting on his LinkedIn page, called the See Tickets web skimming attack, “Another example of the perils of the minimum compliance approach,” and on the face of it, this seems like a fair assessment. The checkout page used an iframe that was linked to a payment service provider, and while the iframe itself was PCI DSS-compliant, the checkout page that was hosting it was not. This gave the Javascript-based skimmer free rein to harvest customer payment data with impunity for a very long time.

The truly unfortunate thing here is that this situation was completely avoidable. If See Tickets had trusted its security to Reflectiz, the rogue tracking pixel that caused the iframe vulnerability would have been detected much more quickly and the web skimming attack would have been halted in its tracks. Since breaches like the See Tickets web skimming attack became the norm, the “minimum compliance approach” and trusting in luck are no longer enough.

The Ticketfly Attack

It turns out that 2018 was a bad year for online ticket vendors in general because another company, Ticketfly also suffered a breach in July of that year. It was initially announced that several thousand of its user accounts had been compromised, but then the company quickly revised that figure upwards to 27 million. Luckily, on that occasion, third-party forensic cybersecurity experts confirmed that no debit or credit card details had been accessed, but the hackers did get hold of customers’ names, phone numbers, email addresses, and physical addresses.


But although this hack could have been more damaging, the simple truth is that it shouldn’t have happened at all because it’s a breach of regulatory standards. Ticketmaster UK was fined £1.25 million ($1.59 million) for breaching the U.K.’s data privacy laws in 2020. The Information Commissioner’s Office (ICO) issued the penalty in response to an attack on the company’s website in 2018.

The ICO said that as a result of the attack, personal information and payment details may have been stolen from as many as 9 million Europeans. Although a company as profitable as Ticketmaster can easily pay a fine of that size, the cost for even the richest company of repairing its reputation after such a breach can be incalculable.

This intrusion differed slightly from the See Tickets web skimming attack; in that this time the hackers found a way to access customer payment details via a third-party chatbot. Ticketmaster had installed the software (made by Inbenta Technologies) on its online payments page.

60,000 customers of Barclays bank and 6000 customers of online bank Monzo are known to have been affected by fraud. That is bad enough, but it gets worse. Monzo had warned Ticketmaster as soon as it suspected fraud, and so had Barclaycard, American Express, MasterCard, and the Commonwealth Bank of Australia.

Despite these warnings, it was a full nine weeks before Ticketmaster responded and began to monitor its payments page.

James Dipple-Johnstone, ICO deputy commissioner said, “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud,”

Yes, the breach was made using Inbenta Technologies software, but vendors are still responsible for maintaining security across every link in the supply chain. Hackers expect third-party integrations to be possible attack routes: that’s why they attack them!

So, on top of having to pay a hefty fine, and suffering considerable reputation damage, Ticketmaster also learned that thousands of fraud victims would be seeking damages for fraud arising from this preventable data breach.

A Wake-Up Call to Use Reflectiz

Retailers primarily use browsers to interact with customers and capture their payment data. They are the shop windows and also the front doors to their businesses, but they need to rely on JavaScript code from potentially dozens of partners to achieve the kind of integrations that drive the best web experience for their customers. Unfortunately, this is as good as handing the keys over to third parties, so can you trust them?
Reflectiz can defend against unwelcome incursions and keep the entire supply chain safe for vendors and customers alike. 

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free