Major data breaches at Adidas, Ticketmaster pummel web users

Major data breaches at Adidas, Ticketmaster pummel web users

There’s been a number of data breaches and accidental data exposures coming to light in the last few days, and no matter where in the world you happen to be located, you’ll want to do some due diligence and see if you’ve been affected. These aren’t small fishes being preyed upon by black hats; we’re talking Adidas, Ticketmaster, and Exactis, the last one being a particularly big issue, despite being a company you may not have even heard of up until now. Shall we take a look?

This breach isn’t very sporting

Adidas, famous sporting equipment creator, revealed a breach in a somewhat short public statement late on Thursday evening. They stated:

According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.

While there’s no information on exact numbers at this stage beyond references to “a few million,” they do mention that the only customers affected so far are thought to be those who made a purchase via adidas.com/US.

Something of note: They claim to have first noticed the breach on June 26, and have made a public notification two days later. In a realm where huge data breaches can be revealed many months or in some cases years after an attack has taken place, this is impressive (though also now required by GDPR).

It’s important to recognise, however, that at this point, we don’t know if the breach itself took place on June 26 or if Adidas became aware of it on that date, because it sounds as though someone noticed a third party trying to sell the stolen data. All the same, this is a rapid turnaround and helpful for anyone wishing to keep an eye on transactions after having used the above Adidas portal.

The golden ticket

The UK didn’t escape from the blast of breaches rumbling on beneath the surface, as the massive ticket sales/distribution company Ticketmaster fell foul of payment data shenanigans. A code library used to power a third party customer support agent is claimed to have been sending payment data to an unknown third party whenever a customer bought tickets. According to the statement provided by the support agent tool creators, a single unauthorised line of Javascript was all it took to cause the problem.

That single line of code, implemented on the payment page, has resulted in up to 40,000 people having their data swiped. If you made a payment somewhere around February to June this year, or anything from September 2017 to this week if you’re an international customer, you could be at risk. Where this story becomes particularly problematic is that digital bank Monzo claims they tried to warn Ticketmaster about the problem back in April of this year, but their warnings went unheeded. Now they’re faced with a so-called perfect storm of bad comms and a significantly harsher round of press-related spotlights.

Fixing a leak

This last incident is less about payment information and more about personal information. It’s also more accurately described as a potential accidental exposure of information, which others may have accessed without permission. Exactis, a marketing firm with a “universal data warehouse” storing 3.5 billion consumer, business, and digital records, have found themselves at the heart of the controversy due to researcher Vinny Troia finding a large slice of data on a publicly-accessible server.

The data are made up of some 340 million records, weighing in at about 2 terabytes. The records contained incredibly detailed information on American consumers, including home addresses, phone numbers, emails, and other “personal characteristics,” including habits, children’s ages, and more. At time of writing, no payment or social security information has been found—so that’s one small silver lining.

However, anyone caught up in the exposed data could find themselves at increased risk of phishing or social engineering attacks if criminals were able to dig into it before the researcher sounded the alarm. It also means bad actors could potentially use detailed information to impersonate the person on file and use that to social engineer someone else.

What can I do?

Unfortunately, there’s only so much you can do in front of your computer where a breach is concerned, because unlike the device in front of you, it’s almost entirely out of your hands. When data is exposed, or someone grabs a pile of payment information, much of what happens next is down to the company responsible for safe keeping. Are payment records encrypted? Are passwords recorded in plain text? Is your entire personal history sitting on a server somewhere, ready to be grabbed by a crew of black hats or a curious observer?

A touch alarming, perhaps, but that’s the reality of doing business online, whether you’re looking to buy something, register somewhere, or simply hand over marketing information while browsing the web. If you’re caught in a breach or a leak, then perform due diligence and cancel your cards, heighten your awareness for phishing/social engineering scams, and take advantage of the typically free credit monitoring services offered post incident. If you follow those directions, you’re doing everything you can to keep things under control on your end.

The important thing to remember is not to panic, and don’t feel too bad should you believe your information to be compromised. We’re probably all going to end up in that position at some point, so you’re in good company.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.