Navigating the Aftermath of the Ticketmaster Breach

A malware bug over the top of a pile of tickets

Written by: MJ Kaufmann, Cybersecurity Author & Instructor

It’s only halfway through 2024, and the number of breaches that have rocked the world has been staggering, not only due to how many have occurred, but the millions of victims affected. The latest batch affected one of the world’s largest live entertainment providers, Ticketmaster, and its parent company, Live Nation. 

Unlike many other attacks this year that have had a major ransomware component, this one is tied back to risk from a third-party provider – the often overlooked entry point for threat actors.

Even as the dust from the attack settled, more victims were discovered, leading to what may be the largest breach of the year by the time all the damage is sorted, with a victim list that may include major companies such as PepsiCo, Kraft Heinz, Mastercard, Siemens, and AT&T.

So, What Hackened?

In the initial onslaught of news articles, headlines were saturated with Ticketmaster’s exposure of the personal data of 560 million users. This data included names, addresses, phone numbers, and partial payment details. Also, sensitive information such as ticket purchase histories, order details, and event information was compromised.

When Ticketmaster discovered the breach, Live Nation, its parent company, launched an investigation with industry-leading forensic experts to understand the extent and nature of the breach. On May 20, 2024, they identified unauthorized activity within Snowflake, a third-party cloud database. By May 27, 2024, a full week later, they knew the stolen data was being offered for sale on the dark web. If one day is too late to discover a breach, a full week is disastrous. 

Inspecting the Snowflake(s)

After being tied to this massive breach, more victims started to emerge, forcing Snowflake to conduct its own investigation to determine whether it was at fault. It engaged prominent cybersecurity firms CrowdStrike and Mandiant to thoroughly investigate and implement mitigation strategies. 

The investigation revealed that the attackers had used spear phishing to deliver information-stealing malware to acquire credentials from a third party working for Snowflake customers rather than a Snowflake employee, as many had reported. These credentials allowed the hackers to bypass Okta-based security systems, granting them access to customer data. Snowflake promptly provided indicators of compromise (IoCs) and security recommendations to the affected clients. As is the case with many data security solutions, the actions offered focused on mitigation and damage control with no real means of future prevention. 

Mixed Failures

Information from this investigation also uncovered significant shortcomings on the part of some Snowflake customers. Many clients failed to implement multi-factor authentication (MFA) on their Snowflake accounts, including demo and production environments. In turn, the hackers exploited these weak points in third-parties being utilized by Snowflake customers, using compromised credentials obtained from information-stealing malware.

Making it even worse, some customers did not promptly disable inactive or former employee accounts, leaving them vulnerable to exploitation. Poor password management and insufficient monitoring of account activities further facilitated the breach. However, it doesn’t have to be this way. To better understand and leverage Snowflake data security to keep you safe from breaches, you can read our blog here.

Preventing Future Data Risks

Organizations must adopt a proactive and comprehensive approach to data security to prevent future failures. Inadequate security measures and reliance on third-party providers exacerbated the Ticketmaster breach. There was no reason it should have escalated to this point, especially when it could have been mitigated by using sensible security controls to limit access by someone using lost or stolen credentials.

In fact, multiple places in the attack could have been halted had third-parties been enforced to implement appropriate malware prevention in the form of CDR (Content Disarm and Reconstruction). With CDR in place, the threat could have been eliminated before credentials were ever stolen in the first place. Similarly, had they leveraged tooling to mask Personally identifiable information (PII), even if attackers had acquired credentials and MFA was lacking, nothing of merit could have been stolen in the attack. 

Understanding the Customer’s Responsibility

When it comes to maintaining data security on cloud platforms like Snowflake, clients have a responsibility that cannot be ignored. They must not assume the platform is secure by default but adjust the settings they have control over, such as adding MFA across all accounts, including both demo and production environments. This includes maintaining strict credential management, including solid and unique passwords.

When possible, clients need to manage the operations of these services, actively monitor account activity, promptly respond to suspicious behavior, and conduct regular audits. By controlling the functions they can, customers reduce their overall risk, especially if your data security solution is not grounded firmly in the principles of Zero Trust.

Using DDR To Prevent Data Loss

As part of controlling risk, customers should focus on preventing data loss with Data Detection & Response (DDR) tools. Effective DDR tools identify and mitigate threats before data can be compromised, providing real-time monitoring and response to suspicious activities. Techniques like masking and tokenization are employed to protect sensitive data. Masking strips personal identifiers, rendering data anonymous and useless to interceptors, while tokenization replaces sensitive elements with non-sensitive tokens. These measures help automate incident response, reduce breach impact, and support compliance with data protection regulations by ensuring robust security protocols are in place.

Data Protection Where It Matters

These attacks against Snowflake and Ticketmaster have shown us that no company, big or small, is safe from attack. Votiro’s Zero Trust Data Detection & Response arms organizations with the tools necessary to ensure real-time privacy and compliance for sensitive data – while also stopping hidden malware that commonly leads to data exposure in its tracks.

Votiro Zero Trust DDR safeguards sensitive data by sanitizing it as it moves across organizational boundaries via file sharing, emails, collaboration platforms, and more. It continuously monitors unstructured data, detecting and anonymizing sensitive information in real time. This proactive approach ensures that organizations maintain control over their data security, effectively preventing data leaks and breaches. By adhering to regulatory compliance, Votiro’s DDR solution provides a robust defense against potential threats, ensuring sensitive data remains protected throughout its lifecycle.

To learn more about Votiro’s Data Detection & Response capabilities, secure your ticket to a one-on-one demo of the platform, or try it free for 30 days and see how Votiro can proactively defend your organization from the next big data breach.

background image

News you can use

Stay up-to-date on the latest industry news and get all the insights you need to navigate the cybersecurity world like a pro. It's as easy as using that form to the right. No catch. Just click, fill, subscribe, and sit back as the information comes to you.

Subscribe to our newsletter for real-time insights about the cybersecurity industry.