Analyzing The 2024 Ticketmaster Breach
Analyzing The 2024 Ticketmaster Breach
Any time high-profile data breaches occur, cybersecurity attracts attention and scrutiny from beyond the security community.
The 2024 Ticketmaster breach was one recent incident that mainstream media sources devoted a lot of column space to.
Much of the commentary focused on the fact that hackers managed to compromise the cybersecurity defenses of yet another big company.
“Why does this keep happening?” was the prevailing question.
But what exactly happened in this breach, and what did Ticketmaster do to limit damage? Was it another cybersecurity PR disaster or are there any positive elements to focus on?
This article takes a look at the 2024 Ticketmaster breach and offers some perspective on Ticketmaster’s response. You’ll also get tips on improving how well your company’s incident response (IR) plan works.
Ticketmaster Breach: What Happened?
The prolific threat group ShinyHunters carried out the attack against Ticketmaster by allegedly compromising Snowflake, which is a third-party cloud-based data warehouse.
Companies use solutions like Snowflake to store and analyze vast volumes of data for useful insights.
While Snowflake denies fault for the breach, the company did say there’s been a campaign actively targeting Snowflake users who use single-factor authentication on their accounts.
The attack vector in this case appears to be stolen credentials to access a Snowflake account. The account in question was targeted by info-stealing malware, which usually infects devices when the target opens a phishing email attachment or visits a malicious website.
Obtaining stolen credentials then led to lateral movement and the eventual exfiltration of data on up to 560 million Ticketmaster customers.
An official data breach notification submitted to the Maine Attorney General on July 8th, 2024 states that the number of people impacted was greater than 1,000. The same notification describes the cause as an “external system breach.”
Providing the bare minimum details in a data breach notification is probably an exercise in damage control and public relations (PR) aimed at managing the company’s reputation by preventing panic among customers and stakeholders.
ShinyHunters is a group already associated with several high-profile cyber attacks. Following the breach, a dark web forum post offered the stolen data for sale at a price of $500,000.
A more recent post (with a demand for a larger ransom) in July 2024 claimed the threat actors had barcode data for hundreds of thousands of tickets to Taylor Swift’s Eras tour.
The pure extortion method used by ShinyHunters is getting increasingly popular among hacking groups who now exfiltrate data without encrypting it with ransomware first.
Ticketmaster’s Preparation and Response
Whether it was a Snowflake employee’s account or a Ticketmaster Snowflake account that got hacked, this incident reinforced the peril of increased third-party security risks. But how about Ticketmaster’s own preparation and response?
On May 28th, a filing to the Securities and Exchange Commission (SEC) by parent company LiveNation described launching an investigation with industry-leading forensic investigators to understand what happened. This is a positive because it happened quickly after finding out about the breach.
The data breach notification suggests it took Ticketmaster 51 days to discover they’d been breached. This figure is less than the mean duration of 204 days to detect a breach and suggests that Ticketmaster's monitoring and detection systems were effective compared to the average.
The stolen barcodes that ShinyGroup hackers accessed aren’t usable to gain access to events because of a technology in place that dynamically refreshes barcodes every few seconds. This proactive data protection measure mitigated some of the damage.
Ticketmaster’s incident response plan didn’t appear to be particularly well-rehearsed, though. Media outlets reported that Ticketmaster sent emails to affected customers in July 2024, well over a month after the company discovered the breach. Clear lines of communication and prompt notifications to affected parties are pivotal parts of incident response.
Containment and mitigation actions within this incident response plan also seem to have fallen short. Initially, the company only mentioned that hackers accessed customer names and basic contact info. But the more recent headlines about event barcodes being accessed suggest persistent hacker access to data.
Tips to Make Your Incident Response Plan Work Better
Improving the effectiveness of your incident response plan is crucial for minimizing damage and ensuring a swift recovery during real-world incidents. To make your plan work better than Ticketmaster’s, make sure you establish clear communication protocols.
This means clear communication channels for IR teams to coordinate effectively during an incident, pre-drafted communication templates for notifying customers, partners, and regulatory bodies, and specific timeframes in which to notify those impacted (ideally as soon as possible).
After each incident, conduct a thorough post-incident analysis and document the actions taken, timeline, and outcome (Ticketmaster got this part right by immediately enacting a detailed forensic investigation.)
Perform a root cause analysis to understand how the incident happened and what you can do to prevent similar incidents in the future. Establish a feedback loop where lessons learned from incidents help to refine and improve your IR plan.
Another actionable tip is to regularly conduct live-fire attack simulations in cyber ranges to test your IR team's response to different threat scenarios. Use these cyber ranges to enable your entire team to work together in their individual roles to detect and remediate realistic simulated attacks.
In addition to blue team (cyber defense) exercises, incorporate varied exercises such as red team (adversarial testing), red team vs blue team, purple team (collaborative defense), and capture the flag (competitive) exercises. These simulations will challenge your IR team, improve their skills, and provide valuable insights for continuous improvement.
Get better at responding to breaches with Cloud Range
Cloud Range helps you reduce the time it takes to respond to breaches and mitigate damage with immersive live-fire simulations. You’ll get a full library with a variety of attack simulations and the ability to customize each environment to replicate your network setup.
We also focus on the vital soft skills that lie at the heart of a well-versed incident response plan—communication and collaboration.
