Following claims by a cybercriminal group that it stole data from 560 million Ticketmaster customers, the parent company of the ticketing and distribution company told the US Securities and Exchange Commission (SEC) on Friday that it had identified unauthorized activity with its cloud partner.
“On May 20, 2024, Live Nation Entertainment identified unauthorized activity on a third-party cloud database containing company data — specifically at its subsidiary Ticketmaster LLC — and launched an investigation with industry-leading forensics investigators to understand what happened,” the SEC said. filling means.
The filing did not address the number of customer accounts affected, but appeared to refer to claims by cybercrime group ShinyHunters.
“On May 27, 2024, a criminal threat actor provided so-called company user data for sale on the dark web,” the file said. “We are working to reduce the risk to our users and the company and have informed and are cooperating with law enforcement. Accordingly, we notify authorities and users about unauthorized access to personal information.”
LiveNation, which is facing antitrust lawsuits after the U.S. and state governments sued the company, seeking to break up over concerns it illegally inflated ticket prices, said it did not believe the breach would have an impact on its business or financial condition. “We continue to assess the vulnerability and our remediation efforts are ongoing.”
The cloud partner that experienced the breach was not identified
The company did not identify the cloud partner in question, but one of its cloud partners – Snowflake – released a statement on June 2 talking about “cyber threat activity.” Various media reports have linked the Ticketmaster situation to Snowflake’s statement, but the CSO could not confirm that the two incidents are related.
Snowflake said in a statement that it has recently noticed and is investigating an increase in threat activity targeting some of its customers’ accounts. “We believe this is the result of an ongoing industry-wide identity attack aimed at obtaining customer information. “Research indicates that these types of attacks are carried out with our customers’ information exposed through non-internet threats,” the company said.
“At this time, we do not believe that this work is caused by any vulnerability, misconfiguration, or bad work within the Snowflake product. Throughout our ongoing investigation, we immediately notified the limited number of customers we believe were affected.”
Snowflake claims about 9,437 customers including Albertsons, JetBlue, Honeywell, Disney, MasterCard, Pfizer, and Petco.
The damage from such a breach can spread to cloud areas
Danielle Stepien, CEO of Igniter Engineering, which does cybersecurity work in aerospace and related verticals, said she is concerned that the breach could represent a widespread threat.
“If it’s a ransomware attack of any kind, this could be a type of infection, causing a significant impact on business operations that could affect supply chains, other systems that we don’t know about publicly yet, and more,” Stepien said. “The fact that this is done in the cloud is bad, as it can affect any other system in the same cloud, if hacking is done thoughtfully in the cloud.”
Stepien added the nature of this type of third-party exposure can cause damage to mount quickly.
“Database hacks have huge consequences, whether they’re hacked in the cloud or on-prem. You don’t know how one database is connected to all the other databases, since that’s obviously proprietary information,” Stepien said. “When it’s connected, it has huge effects on the business performance of whatever is affected.”
The Live Nation filing used the SEC’s new incident reporting guidelines
It appears that Live Nation is likely to adopt the latest revised guidance from the SEC regarding what type of reporting should be used when not concluded that the incident is material – the SEC is now proposing to use form 8.01, which the company used.
Part of the confusion with the SEC’s reporting requirements is that companies are asked to determine whether an incident is significant in the short term. But many companies — including Live Nation — tell the SEC they haven’t made that determination. It’s not clear how that helps investors.
Generally, a business views items based on the potential impact on revenue and/or total revenue. In large businesses – Live Nation’s last year’s revenue was $22.7 billion – that often happens when the company expects a large number of customers to leave because of an incident or to lose a large portion of its revenue given the departure of some of its biggest customers. .
With Ticketmaster, that could only happen if consumers went elsewhere to buy entertainment tickets. In the US, there are several different vendors, suggesting that a cyberattack can only be significant if it isolates a large number of locations and/or large players.
In this case, the attack was not even on the business, but on the cloud partner of the business, which made the determination of the material even more impossible.
Source link