See Tickets Breach Sheds Light on the Blind-Side of Web Security

By Source Defense

Despite its name, leading ticketing service provider See Tickets was blind to a card skimming attack that pilfered financial and personal information from its online customers for 2 1/2 years.

The attack first occurred in June 2019 and involved a Javascript-based skimmer inserted into the checkout pages of the See Tickets website. The company, owned by France-based media giant Vivendi SA, was notified of potentially unauthorized activity in April 2021 and took until January 2022 to investigate and shut down the malicious activity. Vivendi began sending breach notifications this month. 

While the number of people affected by the breach remains unknown, there are reportedly 92,074 victims in Texas alone and an undisclosed number in Vermont. Given this information, it is likely that the number of affected parties is in the hundreds of thousands. Stolen data reportedly includes personally identifiable information such as names, addresses, and zip codes, along with payment card data (card numbers, expiration dates, and CVV numbers).

The attack is strikingly similar to one conducted against See Ticket’s main rival Ticketmaster UK in 2018, which was credited to a Magecart group. The attack against Ticketmaster resulted in more than 40,000 customers’ data being stolen.

The notorious Magecart hacker group has been responsible for some of the most sophisticated e-commerce attacks since 2015 by taking advantage of vulnerabilities in the fastest-growing, slimmest margin channel in online retailing: The client-side digital supply chain is a major point of vulnerability – it needs to be addressed and can be addressed easily and without adding security burden. 

Digital & Security Wake-Up Call

The client side (the browser) is the primary environment used by retailers to display and capture critical customer and payment data. It is the front door for interaction with customers and their data. Your own website code, and that from potentially dozens of your partners, is served inside the browser. Your partners’ code (third-party JavaScript) executes in the browser and is granted unmanaged and unlimited access to the entire web page, including the ability to exfiltrate data (keylogging, web injection, form field manipulation, etc.) and deface/alter web page content. By integrating 3rd party JavaScript, website owners are potentially handing out skeleton keys to the front door of their business. 

You can’t drive a great web experience without these partners – but you can’t keep letting this code go unprotected. Source Defense research shows that websites that process payment card data have up to 16 3rd party software integrations, and those partners can bring in about 6 additional parties. With the average for 3rd party scripts in the double-digits and about half of those partners adding 4th party scripts to the page, retailers must pay more attention to strengthening client-side security.

The industry remains woefully unprepared to address these attacks and must take action now to avoid more of these years long breaches from occurring. This is why PCI has recently included client-side security as a major focus in 4.0 – and it is why Source Defense is offering a risk free solution for retailers which can be turned on even during the seasonal website code freeze period.  

The Simple, Effective Approach

The best approach to defeating client-side attacks and eliminating client-side risk is by taking a proactive approach and deploying technologies that can stop the attacks before they inflict damage on your business or your visitors. By managing the code running on your web pages and within your visitors’ web browsers, a client-side security platform enables real-time control over what client-side code can and cannot do, stopping even novel and inventive attacks before they can exfiltrate data.

The Source Defense client-side security platform was designed from the ground up to provide not only ironclad security but also a burden-free deployment and ongoing use. Source Defense can either scan and alert from the outside, or protect automatically by deploying just two lines of code. Maintenance and monitoring require only a few hours per month, ensuring that solving a new problem doesn’t stress already over-taxed security teams.Request a Demo to learn more about how Source Defense can help you mitigate a material risk to your organization, keep your partners from overreaching and defend your enterprise from Client-Side Attacks.