Well, that didn’t take long. Less than two weeks into its existence and we’ve already seen the first major data breach of the GDPR era. But does it actually fall under GDPR guidelines?
Event ticket distributor Ticketfly reported what it is calling a “cyber incident,” and took down its home page on May 31 in response. According to Motherboard:
A hacker briefly took over Ticketfly’s website, defacing it with a picture of the V for Vendetta character and a claim of responsibility. The hacker also sent Motherboard files of what they say is employee and customer information taken from Ticketfly’s database.
The hackers asked for a single bitcoin as a ransom payment.
But note Ticketfly’s wording here: cyber incident. Not data breach. Last year, I wrote about the dangers of using the words data breach when it really wasn’t, and I think we’ll see more of that now. Calling this a cyber incident was a nice maneuver on Ticketfly’s part, as Netskope CEO Sanjay Beri pointed out in an email comment:
While the company hasn’t confirmed a breach of customer data has occurred, at face value the hacker’s claim — that he/she managed to access their database via an unpatched vulnerability or misconfiguration — is well within the realm of possibility. Now the real question is, if a breach did occur, did the database include any PII belonging to EU citizens? If the answer is yes, this situation could escalate quickly.
Since Beri made that comment, we have learned a little more about the Ticketfly incident. I guess it is safe to call it a data breach now, as Engadget reported. More than 25 million email addresses linked to personal information and associated with the ticketing site were discovered on Have I Been Pwned, a site where you can check to see if your information was compromised in a breach.
Whether or not this breach meets GDPR compliance remains to be seen. According to articles I’ve seen, the company covered event sales for American establishments, but that doesn’t mean that EU citizens didn’t have their information in that database. Also, did the company meet GDPR standards, if necessary?
It will be a data breach case we’ll want to watch to see if GDPR comes into play and if so, how this will all shake out.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba