> Researchers are also warning that it’s part of a larger ongoing hack involving a cloud service provider called Snowflake which is used by many large firms to store data in the cloud.
Now that’s interesting. Anyone know how they’re related?
There was a decent sized discussion here yesterday about the larger hack [0]
The original article was pulled, strangely with no explanation as to why. and to make it even more confusing, Snowflake’s press release is pretty heavy with corporate speak making it difficult to tell if they’re outright denying it happened or if they’re dangling keys trying to buy themselves time.
One of the fun things about these messes is that sometimes you think you're unaffected, but then it turns out the company bought one of the companies you actually did sign up with, and all of a sudden you're a part of a database you never signed up for.
Had that happen a few times with my +company@gmail filters that went on to reveal the trail of acquisition breadcrumbs.
If somebody becomes a victim of this Ticketmaster fraud then the company should be fully liable. We really need an event such as this to bankrupt a company and for all the C-level suits to be made financially bankrupt too. Let's use the like of Ticketmaster fraud as a starting point to make these companies prevent fraud in the first place, instead they pass the buck to those customers defrauded.
Who should "go bankrupt" in this case? Ticketmaster? Snowflake? Snowflake's data subprocessors? The manufacturer(s) of the desktop or security apps on the compromised employee's machine? I get your natural but naive reaction, but as someone who just lived through the Sisense breach as neither the original source or end-user, it's much more complicated than you try and present it.
> I get your natural but naive reaction, but as someone who just lived through the Sisense breach as neither the original source or end-user, it's much more complicated than you try and present it.
If they find it too complicated to keep our data safe then they shouldnt store it and make billions annually trading in our information.
i don’t think it’s unreasonable to expect them to take responsibility for their own actions. either they’re responsible enough to collect our data and use it or they’re not.
You’d think for all the additional booking fees that they’re known for charging that they’d invest a little more into security of their infrastructure both internally and externally…
Why should they invest?
Most likely nothing bad will happen to their bottom line or execs so no reason to invest in security.
We decided that profits are more important than accountability.
On the contrary, economists have known for some time [1] that this (investing in improvements to their product) is exactly what monopolies DON'T do well.
And the DoJ is suing Ticketmaster for being an abusive monopoly as we speak, so.....
[1] Actually, we've known this as far back as Adam Smith! He talked a fair bit of shit about monopolies in The Wealth of Nations. His "invisible hand," after all, was competition, which monopolies by definition don't have.
Remember this every time someone talks shit about capitalism and points to corrupt and abusive American monopolies as evidence of why it's a failed system. America's government only really started leaning into its modern love for monopolies from the Reagan administration onward - in defiance of centuries of evidence that it was a bad idea.
You're right, but nobody here cares about the details of data subprocessors and how a lot of nodes in the chain get impacted. It doesn't play well on the internet where short & pithy moral outrage is the level of discourse.
It makes me sad that the initial reaction is gleeful & mean-spirited towards the targets, when if you've ever been involved in something like this you'd hope it would be empathy for what a lot of Snowflake and TM employees are working on this weekend, and anger towards the hackers. It's like people forget that because it's data and the targets are big companies these criminals aren't stealing from real people and making the world a worse place.
Like anything ever happened to any company that had a data breach. It's been shown time and again that it's a waste of money to care about this. In contrast, what is worth it is to do the minimum necessary to check the boxes on whatever certification the business is trying to get.
Who would think that? Extra earned resources never goes into improving security, why would it be different with Ticketmaster? Live Nation Entertainment / Live Nation, owner of Ticketmaster, is a public for-profit company, 100% of their focus will be on "more money now", and security doesn't contribute to that so of course they wouldn't focus on that.
I feel like I often have to login again with ticketmaster and I'm never sure of they can't figure out token refresh logic or if it's some kind of anti theft measure or what.
I need the wretched app to go to a QR code-only concert. Would love to take up a stallman-esque stand against this, but the bands I love aren't getting any younger and neither am I.
Need to show my digital ticket to the steward. Only to find the app has again signed out, spend ages fumbling with my phone and password manager to sign in, while standing in the rain outside of the venue.
The last half-dozen concerts I've been to have some sort of live code or something where screenshots don't work. I haven't spent enough time trying to deduce if the code itself changes or if the scanner just reads animation over the code, but at least for the moment you do need the live app to get into most concerts if they're using the Ticketmaster or Live Nation apps.
That's easy to program and is very common in apps that produce scannable QR codes that they don't want duplicated, that will only work for the next e.g. 60 seconds.
Any animation that could reliably be picked up by a scanning camera would necessarily be quite visible to the user. Just think of how QR codes often don't even work until you increase your phone's brightness, and they're as high-contrast as you can get...
Anybody who is concerned and wants to learn what personal info of them ticketmaster holds and hence may have been compromised, and lives in a country where GDPR applies, they can send them a GDPR subject access request, eg something like [0]. Their emails in general look like privacy@ticketmaster.XXX where XXX the country code but probably also double check to make sure.
> The hackers also shared a sample of the data, which includes hashed credit card numbers, the last four digits of credit cards, credit card expiration dates, and fraud details, as well as customer names, addresses, and emails.
Does anyone know what "fraud details" are? Is this just ("just", I say) the answers to security questions, or is this, like, your mother's maiden name and every address you've ever lived at and all the other stuff that would let anyone on earth open a bank account in your name?
I don’t know about the sample of leaked data, but I presume the fraud details is just a boolean value true or false which means the transaction was rated legitimate or not.
Ticketmaster historically has had a very unusual architecture – they wrote their own operating system for the VAX, and ran their core application on top of it. When the VAX reached end-of-life, most users had a migration path elsewhere – VMS users went to Alpha, Unix could either go to Alpha or to a competing Unix platform – Ticketmaster didn't have any such path, because when you write your own operating system, porting it to a new platform is all on you. It didn't help that most (all?) of it was written in assembly language. So they ended up writing their own VAX emulator for Linux, and hence their in-house VAX operating system could continue to run as an app under Linux.
And they've been trying for years to get away from all that legacy on to a more mainstream platform. (And for all I know that legacy system is still running today.) But this breach clearly has nothing to do with all that, since it involved a breach of the Snowflake cloud database. So either the legacy system's replacement, or some supporting system.
Side note: Terry Davis was one of the developers of Ticketmaster's OS, before he wrote TempleOS, although they created their OS years before he was hired. He credited working on Ticketmaster's OS as part of his inspiration for writing his own
"As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing"
Ah, All is well then. It has no material impact on your business.
So, the 600'000'000 affected customers can kindly go and fuck themselves?
Look, I get just being blindly outraged at a hack and the hate that Ticketmaster seems to generate, but the company wrote this for the regulators and shareholders as much as anything.
They have a legal duty to report hacks and report if it will have any affect on their business. And this is what they are doing here. Being outraged because a company does what they are legally obliged to do just makes you angry for no reason.
They'll address the hack to customers no doubt, in a separate email/communication.
At no point did they say the 600M people "can kindly go and fuck themselves" and contorting things to try and get there will just make you angry. If you want to blindly feel anger, you're welcome to, but the company did what they should here.
I see both sides of this, but I think I would side with the original comment. It's not just blind outrage or something like that. The point is that there ought to be impact on Ticketmaster business. The messed up and there should be a cost to the company. They should be paying big fines or compensating their users. It should be entirely possible for a company to go bankrupt in such a situation which would incentivise better internal practices.
So this is an interesting case because by all accounts it was Snowflake that got compromised, not Ticketmaster themselves. So this isn’t them messing up but their vendor. I get the argument that you are responsible for your vendors, but at the same time the whole point of buying a SaaS product is precisely to hire domain experts to run a piece of infrastructure that you have less experience with. Security is very hard even for major companies with a stronger culture of it who spend much more resources on it like Apple and Google. It’s not clear that if Ticketmaster would have done a better job.
I think the view I’m most sympathetic too is that customer information should be viewed and reported on as a toxic asset/liability to discourage gathering of personal information in the first place.
- no cost for any remediation
- no cost for any legal issue
- no expected cost to ensure it does not happen again
If you believe that they should be impacted then it's kind of a Fuck you.
They are not the ones making the law but it certainly looks like they will plainly use the fact that they can continue business as usual with almost no impact.
Then you should see a doctor because you're either hallucinating or don't know what verbatim means. This is a specific communication for a specific audience and there are legal requirements around what is reported.
The problem is that there is no material impact due to these issues. The shareholders should absolutely be impacted and the company on the hook for damages
That's just a requirement for the SEC filing. If it has interrupted business operation, it needs to be specified. Think if a hospital or a manufacturer has a breach.
This statement is for investors and managers, not customers. Customers don't typically read statements filed with the SEC. Companies get hacked all the time and the material effect on the underlying business is, indeed, often not significant. Especially for something as monstrously huge as TicketMaster.
They aren't wrong, consequences for them are likely light. There's simultaneously a huge breach with Snowflake, which is high impact as many companies would have their customer data in a platform like that. And past breaches like Equifax that exposed almost everyone.
They are mostly just acknowledging that the general public has "breach fatigue". Nobody cares anymore. It's just another 12 months of free monitoring on top of the others you already have. So now you just freeze your credit until you need a loan, unfreeze it, put it back.
Oh. Come on. This isn’t the Joe Bloggs News comment section. That quote is from an SEC filing. The literal purpose is to update shareholders on exactly this. There’s so much to hate about TM without stooping to this.
Isn't this timing weird in that they just got charged by the DOJ with monopoly? "Oh we had a hack, that's why we cannot find the documents, your honor."
Now that’s interesting. Anyone know how they’re related?