Millions of Americans tuned in on Sunday night to watch two of the most highly anticipated football playoff games in recent history between the Saints and the Rams, then the Patriots and the Chiefs. And it’s not difficult, in seeing the packed seats on television, to envision how stadiums, concert halls and theatres could be a lucrative hacker target – from a venue’s concession stands, to its parking facilities, to its merchandise stores, to its ticketing operations.
Over the next several weeks, Bluefin will be discussing the importance of PCI-validated Point-to-Point Encryption (P2PE) to ticketing organizations during TicketForum, sponsored by Bluefin’s Decryptx® partner TicketReturn; INTIX, one of the largest trade organizations for ticketing professionals; and PACNet, sponsored by Bluefin’s Decryptx partner Paciolan.
It’s Not Just Retail and Restaurants
While we are still waiting for the final count of 2018 data breaches and records compromised, what we already know from the year in review is that hackers are moving beyond the standard favorites of retail and restaurants to more enterprise-focused organizations, including ticketing.
In May, TicketFly announced that hackers had gained unauthorized access to their platform, resulting in the exposure of names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts. While no credit or debit card information was accessed, TicketFly operations went offline and “forced a precautionary password reset for all ticket buyers and clients prior to bringing our systems back online.”
Then in June, ticketing giant Ticketmaster reported a data breach that was later revealed to have stemmed from the compromise of their third-party vendor, InBenta Technologies.
By going through InBenta, the hacking group known as Magecart was able to access payment information. Magecart used a similar strategy on many other websites, meaning it could have stolen the credit card information of thousands of people on various websites by targeting only a few companies, RiskIQ found.
In July, Ticketmaster confirmed that the breach affected Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb from February 2018 through June 23rd, 2018.
The Role that Devaluing the Data Plays
The act of breaking into a network or system is not the culprit in data breaches. The culprit will always be whether or not the data in the system was encrypted. The kind of data present in “clear-text” and the quantity of that data determines the severity of a data breach.
On the top of the data chain remains credit card information because it is easy to resell quickly on the Dark Web. Healthcare information and Personally Identifiable Information (PII) that could be used for identity theft is also a score for hackers.
As discussed in previous blogs and industry articles, Bluefin is a staunch advocate of the Devalue the Data vs. the Defend the Data approach to security. With the Defend the Data approach, organizations build stronger, higher and more expensive walls of security around their systems and data. With the Devalue the Data approach, companies employ security technology to devalue the cardholder data before it reaches their point-of-sale systems, rendering the data useless to hackers if it is exposed. According to Bluefin’s Chief Strategy Officer, Ruston Miles:
Companies can install and maintain all of the security technologies specified in the PCI DSS requirements including firewalls, intrusion detection, constant patch updates, 24/7 monitoring and 330 other security requirements. To say the least, this can be an arduous and costly effort.
In the process of maintaining such a security program company-wide, there may be unknown security holes that an IT staff doesn’t know about until it’s too late. This was certainly the case for many major retailers who were assessed to be PCI DSS Compliant only months before hackers breached unknown security vulnerabilities in their systems.
How Bluefin Helps Ticketing Organizations
Bluefin leads payment security with encryption technologies that help our ticketing clients and partners devalue the data. PCI-validated P2PE encrypts cardholder data at the Point of Interaction (POI) in a PCI-approved P2PE device and decryption is done off-site in an approved Bluefin Hardware Security Module (HSM). Our solutions prevent clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach. And because we partner with major ticketing organizations such as TicketReturn, Paciolan, AudienceView and more, venues and stadiums can get the technology seamlessly through their current platform.