The smoking gun: How to speed up the discovery of data breaches

In the summer of 2018, the incident that privacy obsessives had been waiting for happened: a major data breach, by a household name, in the new GDPR (General Data Protection Regulation) era.

Ticketmaster was the victim, having learned that a cyber criminal had performed a code injection on its website.

Essentially, there was a chatbot on the payment page of the website. This is the automated messenger you can write questions to in order to get help.

If you know a little bit about coding, then it is possible to politely ask this chatbot to send you all the information that has been submitted to the web page – which, in the case of the Ticketmaster breach, was huge amounts of financial details.

This method may ring a bell, as a similar approach was used to rob TalkTalk in 2015. After extracting the information, it’s simply a matter of putting thousands of card details on the dark web and selling them for $20 a pop. Hey presto, you don’t have to work again for a few months.

How was the breach discovered?

Ticketmaster became aware of the issue when customers’ banks approached the organisation to report suspicious activity on accounts. Specifically, a customer had accidentally submitted incorrect data to Ticketmaster.

The incorrect data was then used in an attempted fraudulent transaction. This meant that Ticketmaster had to be the source of the breach, as it was the only organisation that held the incorrect version of the information. A “smoking gun”, to use the ICO’s (Information Commissioner’s Office) words.

The ICO’s investigation revealed that up to 9.4 million individuals could have had their personal data stolen. Meanwhile, 60,000 payment cards belonging to Barclays customers had been subject to known fraud.

The ICO fined Ticketmaster £1.25 million – one of the largest ever for a data breach in the UK –demonstrating the new powers that the GDPR gives supervisory authorities. By contrast, its predecessor, the DPA (Data Protection Act) 1998, capped fines at £500,000.

Let’s take a look at the ICO’s investigation to demonstrate how prompt data breach discovery can prevent costly fines.

How to detect data breaches

In the ICO investigation, the initial red flag appears to be the single piece of incorrect card information discovered by a bank. However, by this point, financial details had been leaking out of Ticketmaster for almost five months.

Without this piece of evidence, would the theft have gone unnoticed and continued for even longer? Are there any lessons to be learned that would allow breaches to be identified sooner?

One of the data protection products offered by DQM GRC for organisations handling large amounts of customer data is data seeding. This service works on a similar principle to how the Ticketmaster breach was discovered.

A number of synthetic customer profiles are seeded into a database; these profiles are unique and are held by no organisation other than the client.

Therefore, if data from these seed profiles appears as part of a breach or theft, the client knows immediately that it is their system that has been compromised.

The profiles are monitored by DQM GRC to ensure that the client hears of any potential incident the moment it happens. This form of monitoring can dramatically reduce the amount of time an organisation’s data is being lost without its knowledge.

Data seeding is specifically designed to identify data loss or theft early. It is based on tracking solutions that DQM GRC has been providing to high-profile clients for more than 20 years.

Using this service also demonstrates to both customers and regulators that your organisation takes its commitment to the security of personal data seriously. Data seeding helps to catch misuse in a live environment, but combining it with our process assurance testing service means we can help you get ahead of any breaches before they occur.