Ticketing service provider ‘See Tickets’ has disclosed a data breach, informing customers that cybercriminals might have accessed their payment card details via a skimmer on its website.
Skimmers are snippets of JavaScript code injected on order checkout pages to steal inputted payment card details from customers, in this case, people who bought a ticket to a live entertainment event.
According to a data breach notification shared with the Montana Attorney General’s office, See Tickets discovered the breach in April 2021, when they started an investigation with the help of a forensics firm.
However, it wasn’t until January 8, 2022, that the malicious code was fully removed from its site.
After engaging with forensic experts and Visa, MasterCard, American Express, and Discover to investigate the incident further, See Tickets concluded on September 12, 2022, that unauthorized parties may have accessed customer credit card information.
The internal investigation showed that the infection happened on June 25, 2019, so the total duration of the exposure was just over 2.5 years.
The customer information that the hackers might have stolen includes the following data:
Full names
Physical address
ZIP code
Payment card number
Card expiration date
CVV number
See Tickets says Social Security Numbers, state identification numbers, or bank account information have not been exposed due to this incident, as they’re not stored in its systems.
Due to the type of data the hackers stole, See Tickets warns that users should be vigilant against unauthorized credit card transactions and identity theft.
Threat actors commonly use stolen credit card information to purchase goods from online stores and then sell them to private individuals for money laundering.
The proceedings of these sales are often bounced through “money mule” networks before they reach the crooks to obscure their trace.
Additionally, the notice urges the impacted recipients to remain vigilant against phishing emails or other unsolicited communication and monitor credit card statements for suspicious charges.
Unfortunately, See Tickets has not offered a free-of-charge identity protection service for the impacted individuals, so exposed customers were left on their own to deal with the consequences of the security breach.
The number of the impacted customers is unknown, and See Tickets hasn’t clarified if skimmers infected only the global site or any of the other five domains it operates for regional audiences in the U.S., Canada, and Europe.
BleepingComputer has contacted See Tickets on the matter, but we are still waiting to receive a response.
