Recent developments have emerged regarding two major cybersecurity breaches involving ticket sales giant Ticketmaster and Auckland retailer Smith & Caughey’s, with potential impacts on New Zealand customers.
Ticketmaster recently confirmed a cybersecurity incident, with New Zealanders potentially affected.
The hacker group ShinyHunters has claimed responsibility for breaching Ticketmaster’s systems, allegedly exposing customer data.
According to NZ Herald’s report, ShinyHunters claims to have obtained data on approximately 560 million Ticketmaster customers, including names, addresses, partial credit card data, phone numbers, and purchase history.
A security analyst shared with the NZ Herald a sample of data posted by ShinyHunters on the dark web, showing information for about 10,000 Ticketmaster customers, including two from New Zealand.
The hacker group is reportedly demanding US$500,000 ($820,000) for the data and threatens to sell it if the ransom is not paid.
Ticketmaster’s parent company, Live Nation, disclosed the breach in a May 31 (June 1 NZT) filing to the US Securities and Exchange Commission. The filing reported unauthorised activity in a third-party cloud database on May 20, prompting an investigation. On May 27, a threat actor offered what it claimed was company data for sale on the dark web.
Live Nation is working to mitigate the risk and has informed law enforcement and regulatory authorities.
“We are working to mitigate risk to our users and the company, and have notified and are co-operating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorised access to personal information,” the company said, as reported by NZ Herald. “As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing.”
The Office of the Privacy Commissioner stated that it has not been notified by Ticketmaster of a breach impacting New Zealanders.
“Where an organisation has had a privacy breach that is likely to cause anyone serious harm, it is legally required to notify us and any affected persons as soon as they are practicably able to,” a spokesperson for the Office of the Privacy Commissioner told NZ Herald. “As a guide, our expectation is that a breach notification should be made to our office no later than 72 hours after agencies become aware of a notifiable privacy breach.”
In a separate incident, the hacker group LockBit has claimed to have accessed and is selling Smith & Caughey’s financial, HR, accounting, management, and IT department data on the dark web, with a deadline of June 4 for offers. The department store, closing after 144 years, acknowledged the breach on Thursday.
“The attack has severely impacted our ability to communicate with our staff, customers, suppliers, and other critical stakeholders. We are trying to reach out to them to explain the situation and the reasons for the communication delays,” said chairman Tony Caughey, as reported by RNZ.
He confirmed that the retailer’s digital team is actively working on the issue.
A new survey, which was released last month, highlighted a rise in privacy concerns among New Zealanders, with 55% of the respondents saying they have grown more concerned about their privacy over the past few years, a 14% increase from the previous survey.
However, another recent survey found significant gaps in cyber recovery efforts among Australian and New Zealand organisations.
