A few weeks ago, I wrote a blog entry asking how many breaches GoTickets.com had really experienced. At the time, it appeared that they had had one breach in May 2012, which they reported to California (and, as I recently learned, New Hampshire and Maryland), but there was a puzzling report from American Express that suggested that they had had an earlier breach in November 2011.
GoTickets.com never responded to my e-mail inquiry asking them to confirm or clarify the puzzling report.
That November 2011 report is still not clear to me, but in looking into things, I discovered that their May 2012 breach was worse than I originally knew.
Although GoTickets.com does not seem to have updated their June 20, 2012 report to California – the same basic report they sent to New Hampshire and Maryland – they sent two subsequent updates to New Hampshire. As a reminder, in their June 20th report, they stated that there had been two intrusions – on or around May 22 and May 30 and that there was evidence that at least some customers’ card information had subsequently been misused. In Maryland, 105 customers had made transactions during the critical time periods, and there was evidence that at least some customers had subsequently experienced card fraud. A smaller number had been affected in New Hampshire.
On August 3, they notified New Hampshire that they had recently learned that there had been another intrusion – on July 5. GoTickets believes that the July intrusion was likely related to the previous problem. Although their investigation wasn’t complete by that time, it appeared that a single administrative account had been compromised and malicious files placed on the server that allowed subsequent improper access. Again, there was evidence that the recent intrusion had resulted in misuse of customer card information. In Maryland, another 40 customers were potentially affected.
On September 4, GoTickets again updated their situation. In their newest letter to New Hampshire, they reported that on July 24 – the very day they started investigating the July 5 intrusion – they suffered another intrusion. And once again, there was evidence of information misuse.
In response to the security breach, GoTickets implemented more stringent administrative account controls, retired old user accounts, switched to requiring more complex login/passwords that would expire every 90 days, and reduced the number of administrative accounts while isolating the administrative interface and restricting access to one physical location or a VPN.
Hopefully, their efforts were sufficient to plug the hole.
Now if I could just find out what happened last year.
The steps they are taking are better that it was, but it could boild down to some very basic social engineering tactics. There are reports of A LOT of usernames and passwords that have been stolen. All these crooks have to do is locate a name. Then they take that name, nickname or email address and try to use that to gain entry into the place where the person resides.
I am sure there are MANY people who use their favorite password or scheme on every website they visit. (Somehow I sense a flurry of admins rapid logging in to admin accounts, engaging brains and coming up with a unique password scheme).
Sometimes crooks aren’t as smart as you think. Make sure your systems are patched. Make your password is ultra strong. Watch your elevated privilege accounts. Passwords are changed frequently – plus they are being audited and monitored on a random basis Elevated accounts Should be limited in nature – Not everyone needs administrative or root access.
Looking from the outside in, it limits your ability to see what happened. I am sure there are clues. If I was a hacker and wanted in, I would surf to a secure logon area of the site, try the usernames and passwords early in the work day. It looks like it was a sleepy headed attempt to log in and get ignored. The dumb hacker would try that late at night when the person is snoring in their bed.
It doesn’t take the thinking of a rocket scientist to crack some of these passwords. A determined crook armed with a screen full usernames and passwords that he bought for less than the cost of lunch could easily make a compnay lose million in revenue, pay hefty fines and make people lose their jobs….. all due to the use of a single password over a multitude of websites.