On the evening of Friday 6 April, Daniel Chatfield, a software engineer at the challenger bank Monzo, sent out a tweet containing an unintelligible string of more than 40 letters and numbers.
“It’s a hash of a message,” said Chatfield, after one of his followers asked what it meant. “It’s useful if you want to be able to prove you knew something on one day without actually revealing that info on that day.”
On Wednesday this week, Chatfield finally decrypted the tweet: “Ticketmaster card detail breach h7dl8.” It is evidence, Monzo claims, that its financial crime team had identified signs of a vulnerability in Ticketmaster’s service more than two months before it was disclosed to the public. Up to 40,000 British customers may be affected.
Monzo also claims that Chatfield and his colleague Priyesh Patel handed over analysis linking fraudulent payment activity to Ticketmaster during a meeting with the firm’s employees on 12 April, several weeks before Ticketmaster says it identified the source of the issue.
A spokesperson for Ticketmaster told NS Tech it investigated Monzo’s analysis at the time, but found “no evidence” the fraudulent activity originated with its business. The vulnerability arose in a customer support product supplied by a third-party, Ticketmaster said.
“For a few days or a week, we didn’t have enough evidence to be sure it was Ticketmaster,” Monzo’s head of financial crime Natasha Vernier tells NS Tech. “There was an interesting correlation with most of the customers [reporting that they had been victims of payment card fraud] and Ticketmaster.”
The bank didn’t want to take any risks. Its fraud team noticed suspicious activity at 09:48 on 6 April, it said. By 14:29, Chatfield and Patel realised this wasn’t “business as usual”, and by 16:34 wrote new rules blocking future transactions on customers’ cards that looked suspicious in a similar way, Monzo added. Staff reached out to other banks and the US Secret Service that evening, according to Monzo’s statement.
During the week following Monzo’s meeting with Ticketmaster, the fraud team spotted another unusual transaction, the bank said.
“We noticed that one of our customers had a declined transaction at a merchant that the fraudsters were using to spend the money at,” says Vernier. “The transaction declined because the expiry date was wrong. We looked at the customer’s account and they had previously tried to spend money at Ticketmaster. It had failed because they had entered the same incorrect expiry date.”
This was, claims Vernier, “almost complete evidence” that Ticketmaster’s database had been breached and criminals were using customers’ card details to make fraudulent transactions. Monzo took the decision to replace around 6,000 cards used to make Ticketmaster payments. But it decided not to name the company at the time.
“There wasn’t definitive proof that they had been hacked,” Monzo CEO Tom Blomfield tells NS Tech. “But it was overwhelmingly likely that they were the common point of breach. Ticketmaster said they would investigate and went away and basically responded that they had done an investigation and were confident they were not the source of the breach.”
Blomfield claims Monzo gave the firm further evidence over the next few days and weeks. “They just gave us the stock answer: ‘We’ve done the investigation and we’re confident there’s no breach’,” claims Blomfield. “It’s incredibly frustrating that we talked to them in April and it took them until 23 June to finally figure out the source of the breach.”
“We talked with our lawyers quite extensively at the time and we didn’t feel comfortable disclosing information that could have a material impact on the company’s value,” he says. “Our number one priority is making sure our customers’ money is safe so we took all the steps we could to keep our customers’ safe.”
In addition to replacing payment cards and writing new rules into its anti-fraud system, Monzo says it refunded its customers for the fraudulent transactions. “Unfortunately, we took quite a big financial loss from this,” claims Blomfield. “Replacing 6,000 cards at the time would have cost £20,000-£30,000, plus more to refund the customers, plus we’ll be replacing several thousand more cards today [Thursday].”
A Monzo spokesperson told NS Tech that refunding “a couple of hundred” customers cost around £15,000, with card replacements issued on Thursday amounting to a further £11,000. The startup bank is not yet profitable, but has raised tens of millions of pounds in crowdfunding and venture capital. Blomfield declined to comment on whether Monzo would be taking legal action against Ticketmaster.
Blomfield asks: “In the future, what if this happens again? If a big retailer is breached and we can’t get a response, what do we do about? It’s a tricky question we’re grappling with.”
Ticketmaster UK published a statement on the breach on Wednesday (27 June). The incident may have affected up to 40,000 Brits. Globally, up to 5 per cent of its customers could be affected. Ticketmaster claims to serve 230 million people a year. It said it had already contacted “all potentially impacted international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018”.
The breach appears to have originated from malicious software in a customer support product hosted by a third-party supplier. Ticketmaster said the malware was disabled as soon as it was discovered.
A Ticketmaster spokesperson told NS Tech: “When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf. In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.”
The Information Commissioner’s Office has launched an investigation into the breach. “Organisations have a legal duty to ensure that people’s personal information is held securely. We have been made aware of an issue concerning Ticketmaster and will be making enquiries,” said an ICO spokesperson. “We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
The new legislation grants the regulator the power to fine organisations up to 4 per cent of their annual global turnover. Ticketmaster’s parent company, Live Nation Entertainment, made more than $10bn last year.