Why the Ticketmaster Breach is More Dangerous Than You Think
Jul 10, 2024
Jul 10, 2024
Though the Ticketmaster breach may appear to be a consumer data issue, companies should not dismiss the incident, as your organization may now be at risk.
It was a quiet Monday morning when millions of Ticketmaster customers opened their emails to a startling message: an "unauthorized third party" accessed information from a cloud database managed by an external company.
This latest Ticketmaster breach occurred a mere three days after another significant security lapse. The previous incident, described as "unauthorized activity," also involved a third-party cloud database primarily housing Ticketmaster data. The back-to-back breaches paint a troubling picture of vulnerability and raise pressing questions about the security of customer data in the hands of even the most trusted brands.
But there’s an even greater threat flying under the radar of most organizations: 69% of consumers admit to shopping online while at work. And that means that your organization may now be at risk, too.
One often-overlooked risk in the wake of the Ticketmaster breach is the widespread use of work emails for personal accounts. Ticketmaster, typically not viewed as a critical SaaS application, can easily slip under the radar of even the most vigilant security teams. This oversight is significant, given the likelihood that employees often reuse passwords across multiple accounts, including work-related ones. One of Grip’s customers was surprised to find that they had 34 employees using their corporate identities for their Ticketmaster account. If the employee reused a password that they also use for a work system, this now means that the company’s systems are now vulnerable to a credential stuffing attack.
A recent study found that 60% of people admit to using the same password for multiple accounts. If employees use their work emails to sign up for a Ticketmaster account and reuse their work passwords, a breach in Ticketmaster's system could provide a gateway for cybercriminals to access corporate networks. This scenario becomes even more alarming, considering that 62% of breaches resulted from hacking and 81% of those breaches leveraged weak or reused passwords.
The bottom line: even seemingly harmless SaaS platforms can pose significant threats to corporate security, underscoring the need for comprehensive security protocols that address all potential entry points, no matter how trivial they may seem.
Let’s be honest: the lines between personal and professional life often blur, especially when it comes to technology use. Unfortunately, it’s common practice for employees to use their personal devices to shop (or purchase tickets on Ticketmaster) with accounts where they may be using corporate credentials. This behavior introduces significant security gaps that traditional SaaS security products that rely on network traffic, such as firewalls and cloud access security brokers (CASBs), cannot detect.
Firewalls and network monitoring tools are designed to protect corporate data and assets, not to discern the nuances of account use. When employees log into personal Ticketmaster accounts using corporate credentials, the mingling of personal and corporate identities creates a vulnerability many security protocols do not address.
As an example, an employee might use their work email to receive notifications about concert tickets, integrating the communications into their daily workflow. When this happens, security teams cannot easily differentiate between legitimate work-related traffic and personal use of SaaS applications like Ticketmaster. The 2023 Verizon Data Breach Investigations Report highlighted that 19% of all breaches involved internal actors, demonstrating the risk posed by employees’ online behavior, including actions that unintentionally cause a breach.
The implications here are far-reaching. If an employee’s personal Ticketmaster account is compromised, hackers have an “in” to exploit the credentials to gain access to corporate systems. Ultimately, the Ticketmaster breach sheds light on the critical need for security strategies that account for the intertwined nature of personal and professional identities.
Though the Ticketmaster breach may appear to be primarily a consumer data issue, companies should not dismiss the incident and check whether any employees have used corporate credentials for this entertainment service. In some cases, employees may have legitimate reasons for doing so, such as entertaining clients. However, the practice significantly expands the company’s attack surface, making it more vulnerable to potential credential-stuffing attacks.
Once the exposure for such an attack is identified and defined, the next step is to require employees to change their passwords so that any compromised passwords are no longer valid. Those using corporate credentials for personal accounts should also be required to discontinue using their corporate emails.
Finally, the systems on which the employee uses an email and password rather than an identity provider or SSO need to be identified. Action should be taken to protect these applications, such as moving to SSO or enabling MFA. At a minimum, the passwords should be rotated so that the comprised credentials cannot be used to gain unintended access.
The Grip SaaS Security Control Plane (SSCP) solution was designed to help companies identify and prevent the misuse of corporate identities for personal SaaS. Whenever an employee creates an account for an unfederated SaaS application, the system can automatically query the user to justify using the corporate identity. Based on the response, the system can require the user to discontinue using the corporate credentials or even the application itself. If the user does not comply, Grip SSCP will take over the account, provide IT control of the account, and alert the appropriate group of the user’s noncompliance. Leveraging this automation to resolve the Ticketmaster breach can help companies ensure their security in a matter of minutes compared to the days or weeks it might take to do this manually.
The Ticketmaster breach is a stark reminder that employees frequently use SaaS and other technologies independently, often without considering the potential consequences to their organization. And the risk potential isn’t limited to Ticketmaster either.
According to Statista, some of the most popular sites for online shopping include Amazon, Walmart, Target, eBay, Apple, Best Buy, Chewy, and Costco. Each of these platforms represents a potential vulnerability if employees use corporate credentials or devices for personal activities. Effectively securing your organization today includes acknowledging employee behaviors have changed and implementing proactive strategies to protect your organization from the Ticketmaster breach or similar incidents. Grip SSCP can help you uncover all SaaS usage and how it’s being accessed, and it saves you time by automating new account justifications and enforcing compliance with your established security protocols. Book time with our team to learn more.
Using work credentials and reusing work system passwords on Ticketmaster could lead to a credential stuffing attack if the emails are compromised. Additionally, when employees login to Ticketmaster with corporate credentials from a personal device, if the email is compromised, again, it provides a hackers with means to exploit the credentials and infiltrate the company’s systems.
The Ticketmaster breach may be dismissed as a consumer data issue, thereby overlooking the corporate security risks. The intermingling of personal and corporate identities creates security gaps that traditional SaaS security products relying on network traffic, such as firewalls and cloud access security brokers (CASBs), cannot detect.
Organizations should first identify which employees may have used corporate credentials to login to Ticketmaster. Then, require employees to change their passwords so that any exposed credentials will no longer be valid. Those using corporate credentials for personal accounts should also be required to discontinue using their corporate emails. Finally, the systems on which the employee uses an email and password rather than an identity provider or SSO need to be identified and action taken, such as moving to SSO or enabling MFA. At a minimum, the passwords should be rotated so that the comprised credentials cannot be used to gain unintended access.
The Grip SaaS Security Control Plane (SSCP) solution helps companies identify and prevent the misuse of corporate identities for personal SaaS applications. When an employee creates an account for an unfederated SaaS app, the system queries them to justify using their corporate identity. Based on the response, the system may require discontinuation of corporate credentials or the app itself. If the user doesn't comply, Grip SSCP takes over the account, giving IT control and alerting the appropriate group. This automation ensures security in minutes, compared to days or weeks manually.
Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.
Fill out the form and watch webinar's video.