Global ticketing giant See Tickets has begun notifying customers of a significant breach of their personal and financial information, which lasted for over two-and-a-half years.
The company, owned by French media firm Vivendi, revealed the news in breach notification letters published by various US states. An official statement from either business has so far not been forthcoming.
However, according to the published data breach notices, See Tickets was alerted to “potential unauthorized access by a third party to certain event checkout pages” on its site in April 2021.
The company stated that an investigation launched in concert with a forensics firm took until January 2022 to completely shut down the unauthorized activity – a full nine months after the initial alert. It then took the firm another eight months to ascertain that customer payment card information had been compromised.
“Our response efforts had multiple phases and resulted in the complete shutdown of the unauthorized activity in early January 2022. In the following months, we worked with Visa, MasterCard, American Express and Discover to identify potentially affected pages and transactions. This wide-ranging effort was supported by multiple forensics firms, and included coordination with law enforcement,” the notice explained.
“Affected information may include the data you provided when purchasing event tickets on the See Tickets website between June 25, 2019, and January 8, 2022, including: name, address, zip code, payment card number, card expiration date and CVV number.”
Although the nature of the breach is still to be confirmed, the details released so far could indicate the presence of card data-stealing “skimmer” malware on See Tickets systems during the 2.5-year period. A Magecart group famously compromised the firm's rival Ticketmaster in this way several years ago.
Reports suggest over 90,000 customers were impacted in Texas alone, meaning the total could run into the hundreds of thousands in the US.