Ticketmaster is telling its customers that it wasn't to blame for the infection of its site by a strain of the Magecart cred-stealing malware – despite embedding third-party Javascript into its payments page.
In a letter to Reg reader Mark, lawyers for the controversy-struck event ticket sales website said that Ticketmaster "is of the belief that it is not responsible for the Potential Security Incident".
They were referring to the June 2018 infection of its UK website with the Magecart payment credential-stealing malware. At the time, Ticketmaster publicly blamed "a customer support product hosted by Inbenta Technologies" for the infection. Inbenta chief exec Jordi Torras immediately hit back, telling us in June: "Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat."
Our reader, who was travelling in the US when the Ticketmaster breach happened, found out that one of his bank cards was being used for unauthorised transactions in Belgium. After asking his bank to block it, Mark found that a second card had been blocked by Visa because of an "identity breach".
He told El Reg: "It's only the cards linked to my Ticketmaster account and used for purchases with them that were breached. I use the others for online and in-person purchases in various countries with no issues," adding that cards he had used with Amazon and Paypal were not compromised.
When he demanded compensation from Ticketmaster, lawyers from the Paul Hastings law firm wrote back to Mark (who showed us their letter) claiming that the ticket site was "currently undertaking an extensive investigation into the Potential Security Incident, and, in particular, its cause and the impact, if any, on customers and the privacy and security of their payment and other personal information".
They added that the breach "arose as a result of certain third party software infected with malicious code being served directly on our client's customers from third party servers; there was no security breach of our client's own servers and systems".
Ticketmaster failed to respond to multiple attempts by The Register to seek comment.
If all is as described by both Ticketmaster and Inbenta – noting that the former has not made public any details about precisely where the offending JS component was embedded – it is difficult to see how Ticketmaster could say it is not responsible for the breach while keeping a straight face.
In a statement on its website, Inbenta said: "Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code... Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it."
The breach was plugged back in June, according to Inbenta, though details of transactions made between February and June were potentially exposed.
The summer Magecart outbreak was part of what seemed to infosec researchers to be a sustained and widespread campaign. Magecart's operators had switched from trying to directly infect individual websites to targeting and compromising widely used third-party webpage elements. BA and Sotheby's Home were also infected.
The malware's typical approach involves compromising webpage elements – typically Javascript – and injecting those elements into websites with the aim of reading customers' payment card details and beaming them back to a server controlled by criminals, ready for later misuse. ®