Two Major Retailers Hit by Data Breaches this Week

Two major retailers were hit by data breaches this week. First came Ticketmaster. On Wednesday, the ticketing site announced that 5% of its entire customer base was affected by a data breach, which has led to the theft of login information and customer data, including payment details.

The Ticketmaster breach occurred not at Ticketmaster itself, but at Inbenta, a third-party customer service agent that the company was deploying on Ticketmaster UK. Malicious software had been inserted into Inbenta’s customer support product, according to Ticketmaster. On discovery of the breach, the company disabled Inbenta’s software across its websites.

The breach is thought to have only affected customers in the UK, nonetheless, the company is asking all Ticketmaster International users to reset their login information on their next sign in as Inbenta’s chatbot was enabled on the Ticketmaster International site, TicketWeb and GETMEIN! Websites along with Ticketmaster UK.

Inbenta released its own statement via its blog, stating that no other websites would be affected by the problem as the vulnerability was found in a customized script that Ticketmaster wrote and implemented itself. Inbenta CEO, Jordi Torras, defended his company, saying, “Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements. This code is not part of any of Inbenta’s products or present in any of our other implementations. … Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

The second of the major retailers hit by a data breach was adidas who announced its attack last night, which impacted its US website. The company posted a statement on its website, saying it had become aware of the problem on June 26th when “an unauthorized party claims[ed] to have acquired limited data associated with certain adidas consumers”. adidas reassured users of its website that the data that had been compromised was restricted to “contact information, usernames and passwords”, and the company “has no reason to believe that any credit card or fitness information of those consumers was impacted”.

Regardless, millions of customers may have been affected by the potential security breach and adidas is now working with law enforcement and data security firms to investigate the issue further.

Other major retailers that have declared security incidents or data breaches this year include Panera, Orbitz, MyFitnessPal and [24]7.ai, which may have also exposed the customer data of its partners, including Best Buy, Delta and Sears.

Scroll Up