See Tickets has informed consumers that it was subject to a long-term security incident, potentially impacting the credit card security of those who used the platform to purchase tickets over a multi-year period, according to multiple reports. The breach was reportedly initiated by hackers who were able to inject malware via a tracking pixel that skimmed user data for a period of as much as two and a half years before it was mitigated.
“At See Tickets we take securing customer information very seriously and deeply regret this incident occurred,” Boris Patronoff, CEO of See Tickets North America, told Billboard in a statement. “We also understand how this may have negatively impacted on our clients and their customers. We conducted an immediate investigation as soon as the issue was discovered and communicated with clients and customers the moment it was possible to do so. We have since taken additional measures to further strengthen our security.”
According to a copy of the breach notification letter sent to consumers available via the Montana Attorney General’s office, See Tickets was alerted to the unauthorized access in April of 2021. After investigating the issue, the company was able to fully remove the malicious script from its pages by January of this year. By September, post-breach investigation involving payment processors and law enforcement made it clear that consumer payment card information may have been accessed in the breach.
“While our investigation continues and we are not certain your information was affected,” the letter reads, in part, “we are notifying you out of an abundance of caution based on available information.”
Consumers who purchased tickets through the See Tickets website between June 25, 2019 and January 8, 2022 have been notified of their potential for being impacted by the breach, which could have involved the skimming of data including their name, address, zip code, payment card number, card expiration date, and CVV number. The company stressed in the letter that they do not store social security numbers, state ID numbers, or bank account details.
See Tickets is not the first ticketing provider to see a security/data breach impacting its operations in recent years. Ticketmaster saw the personal and payment information of some 40,000 users impacted in a major data breach that took place between February and June 2018. TicketFly was hobbled by an even larger-scale breach that involved more than 26 million user accounts and crippled box office operations for venues using the company – which was subsequently folded into parent company Eventbrite in the wake of the hack.
Consumer data is an increasingly key piece of the ticketing game, which has seen companies like Live Nation/Ticketmaster and AXS force consumers to use mobile-only ticketing systems that allow them wide access to personal data that can be used for marketing purposes or sold to partners. Such data is increasingly the cornerstone of any deal-making by these companies, but continues to involve substantial risk for consumer personal data when hackers gain access to these systems.
It is unclear whether or not the See Tickets breach was limited to clients in the North American market, or if other markets were involved.
See Tickets North America serves as the ticketing vendor for a wide variety of small venues in the U.S., including the Troubador in West Hollywood, California, Baby’s All Right in Brooklyn, New York, and World Cafe Live in Philadelphia, Pennsylvania. It also services festival clients including the Pitchfork Festival and Disco Donnie Presents’ Freaky Deaky Festival. Its North American operations are joined by branches in France, Spain, Germany, Belgium, Portugal, Switzerland, the Netherlands, and its original home of Great Britain. The company is a subsidiary of Paris-based media conglomerate Vivdendi SA.