Inbenta chatbot script skimmed Ticketmaster payments

Ticketmaster put a customized Inbenta chatbot script on payment pages. That decision turned a support widget into checkout code: the script ran where customers entered names, addresses, login details, and card data.

Inbenta said the vulnerable code was a single custom JavaScript file made for Ticketmaster, not a standard product component or a compromise of all Inbenta deployments. Attackers modified that script and used it to extract data submitted through Ticketmaster's payment forms between February and June 2018.

Banks saw the damage before Ticketmaster fully accepted it. Monzo, Barclaycard, and American Express all reported suspicious card activity tied to Ticketmaster purchases. Ticketmaster disabled the Inbenta product on June 23 and later said fewer than 5% of global customers were affected.

The UK ICO later fined Ticketmaster, saying the incident potentially exposed 9.4 million people, including 1.5 million in the UK, and led to 66,000 cards being replaced. This record is scoped to the compromised Inbenta-hosted custom script, not to Inbenta's entire chatbot platform.

Motive

Financial Gain

Attribution

Group

Cause

Vendor Compromise

Transitive

Yes

Actor

Magecart

• Locationdistribution: inbenta.com
• familyMagecart
• organizationTicketmaster UK
• organizationMonzo
• organizationBarclaycard
• organizationAmerican Express
• datanames
• dataaddresses
• dataemail addresses
• datatelephone numbers
• datapayment details
• dataTicketmaster login details
• observableICO said 9.4 million people were potentially affected, including 1.5 million in the UK, and 66,000 cards were replaced.

• Ticketmaster admits user data stolen in breachwired.co.uk
• Ticketmaster Suffers Security Breach - Personal and Payment Data Stolenthehackernews.com
• Ticketmaster Fined $1.7 Million for Data Security Failuresbankinfosecurity.com
• Ticketmaster cops 1.25m GBP ICO fine for 2018 Magecart breachtheregister.com
• Magecart Attacksdatadome.co