CEO bemoans inaccurate media information about breach.
A UK-based ticket service suffered a breach that may have exposed the personal data of more than 700,000 customers.
A breach was initially disclosed on September 30th when a threat actor on a dark web forum claimed responsibility for leaking the customer database of Central Tickets.
The trove of data was added to haveibeenpwned on the same day, where analysis of the data determined that the breach occurred in July.
The breached data included 723,000 unique email addresses alongside names, phone numbers, IP addresses, purchases and passwords stored as unsalted SHA-1 hashes.
Staging Database
According to media reports, a “staging database” - used for testing purposes and separate from its main website and app - was breached.
In an email sent on the 30th September, published on a theatre messaging board, Central Tickets CEO Lee McIntosh, confirmed what had been breached, and said “we do not process or store any sensitive or high-risk data.” He also confirmed that the ICO had been notified and it was conducting a comprehensive audit of its IT systems.
No Knowledge of Compromise
McIntosh has since revealed that on 11th September, the Metropolitan Police informed him of dark web conversations indicating that a breach may have occurred. “Prior to this, we had no knowledge or indication that our systems had been compromised,” he said. “The initial police report did not include specific details or sources, making it difficult to verify the situation immediately, as we had no direct visibility of the data involved.”
McIntosh acknowledged that some users “may have heard about this breach through external sources before we could complete our investigation” as time was needed to gather facts and ensure there was a full understanding of the scope of the breach before informing users.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.