Cyber Incident Victim: Ticketmaster UK

On July 8, 2020, a database containing 4.8 million email addresses and usernames linked to a prominent UK-based live event ticketing provider appeared for sale on a dark web marketplace. The listing was posted by a new user identified as "Jamescarter," who priced the dataset at $2,500 and provided a .ru email address for contact. Cyber-intelligence firm KELA discovered the listing and acquired a sample of 10,000 records for analysis, confirming only 300 (3%) were duplicates. While the seller claimed the data originated from a "shopping and forex trading site," KELA attributed the records to customers of the UK ticketing service based on investigative findings. The dataset primarily contained commercial webmail addresses but also included government domain accounts, elevating risks for high-value targets. Affected users spanned multiple countries, with concentrations in the UK, US, New Zealand, Australia, South Africa, Germany, and France.

The exposure placed affected customers at heightened risk of phishing campaigns and credential stuffing attacks, where stolen credentials are reused to compromise other accounts. KELA noted the ticketing provider had previously experienced website defacement and was listed on Pastebin among sites vulnerable to SQL injection attacks, though no confirmed connection existed between these prior incidents and the 2020 breach. Credential stuffing attacks were estimated to cost EMEA organizations approximately $4 million annually prior to this incident, factoring in application downtime, customer attrition, increased IT security workloads, and subsequent fraud losses. The sale listing remained active following its July 8 posting, with no disclosed remediation actions or public statements from the affected organization in the available source material.