A Ticketmaster hack spilled sensitive data for 560 million customers, hackers say
A Ticketmaster hack spilled sensitive data for 560 million customers, hackers say
The hacking group ShinyHunters claimed responsibility and is seeking $500 million
ShinyHunters posted on Tuesday night in a hacking forum that it obtained data from Ticketmaster and its parent company, Live Nation, including customers’ names, addresses, emails, phone numbers, and order details, Cyber Daily wrote. The group is reportedly attempting to sell the stolen data for $500 million.
From this other link: https://www.abc.net.au/news/2024-05-29/ticketmaster-hack-allegedlyshinyhunter-customers-data-leaked/103908614
It said 1.3 terabytes of customer data possessed by Ticketmaster including names, addresses, credit card numbers, phone numbers and payment details is up for sale.
You're viewing a single thread.
I'll look forward to my $0.50 check and exactly zero consequences for the higher-ups that I'm sure slashed IT/cybersecurity budgets.
"Did you cut security staff?"
"Yes."
"How much?"
"70%"
"And did that lack of security cause a security breach?"
"Yes."
"And how much money did that cost us?"
"2 million dollars."
"And how much did the security team that was let go cost us?"
"$500,000 per year."
"So, we break even after 4 years, and profit after 5?"
"Uhhhhhhh..........I guess?"
"Good work Johnson".
heh, you don't know how true this is. I've worked in IT for 2 decades. IT is pretty much always seen as a cost center.
If everything is running smoothly - "what are we paying you for?!"
If everything is on fire - " What are we paying you for!?"
And now with companies getting the tiniest of slaps on the wrists for willful negligence it's cheaper to cut IT funding, outsource it, whatever.
If the cost of the fine is less than the profits gained by doing "x" then that's just the cost of doing business. Execs will continue to do this until there are real consequences for the company and them directly.
Until there are proper incentives for executives (e.g. full asset seizure and mandatory multi-year community service in roles such as junior janitor, junior hospice care specialist, live-in support for late stage alzheimer's patients) that require them to take ownership and responsibility for their actions (or lack of thereof), this will continue.
Just look at the 2017 Equifax breach in the US:
Wikipedia background:
An Equifax internal audit in 2015 showed that there was a large backlog of vulnerabilities to patch, that Equifax wasn't following its own timescales on patching them, that IT staff did not have a comprehensive asset inventory, that Equifax didn't consider how critical an IT asset was when prioritising patches, and that the patching process worked on an 'Honour system'. The report set out actions to improve the process, but the time of the breach, two years later, many of them had not been completed.
Equifax press release states that CIO and CSO can now enjoy retirement:
As part of the company's ongoing review of the cybersecurity incident announced September 7, 2017, Equifax Inc. (NYSE: EFX) today made personnel changes and released additional information regarding its preliminary findings about the incident.
The company announced that the Chief Information Officer and Chief Security Officer are retiring.
Richard Smith, the CEO under whose watch this happened, got to retire at the ripe old age of 57 and got a nice bonus of $90 M
Richard Smith, 57, is the third Equifax executive to retire under pressure following the company's massive data breach revealed earlier this month, putting the personal information of as many as 143 million people at risk.
But the CEO is still set to collect about $72 million this year alone (including nine months' worth of his $1,450,000 salary), plus another $17.9 million over the next few years. That's when the rest of Smith's stock compensation hits a few important milestones or "vests," allowing Smith to essentially put it in his bank account. Altogether, it adds up to a total potential paycheck of more than $90.1 million, according to Fortune's calculations based on Equifax securities filings.
Are you salivating at the mere thought of this, then?
Amazon execs may be personally liable for tricking users into Prime sign-ups
This is a start, but the fact that they come up with this:
Executives had urged the court to dismiss the FTC's claims against them. They argued that the FTC "singled them out 'for an ‘unprecedented sanction'" when the agency had "only recently started prosecuting companies for using 'dark patterns'" under Restore Online Shoppers' Confidence Act (ROSCA) and the FTC Act. They claimed that the FTC never alerted them to any wrongdoing before filing the lawsuit, so how could they have known they were violating the law?
Suggests that they are not being serious.
And I doubt the fine will be sufficient for them to re-evaluate their attitudes. What we need is full asset seizure (every last cent, home, car, everything) and to send them to do a decade as junior support personnel at a late stage Alzheimer's care facility (my dad had Alzheimer, so I am not being callous for the sake of it).
They can also do 20 years in prison with no parole if they are too good for community service.
I'm not sure how that's indicative of the FTC not being serious? You're quoting a defense argument, of course they're going to argue the agency is wrong.
With respect to the US regulatory/judicial actions, I find it difficult to believe that they will be sufficient to nudge the criminals towards genuine self-reflection and a desire to change their behaviour. Similarly, other criminals are likely see enforcement action as more of a "risk to be managed" as opposed to a strong incentive to re-evaluate their approach to criminal schemes.
This is of course not a US only problem, albeit there are countries were consumer rights and business criminality is less socially acceptable.
I didn't interpret their argument as stating "the agency is wrong". More like "we weren't told this was wrong, we were one of the caught ... so this claim should be dismissed."
I would even go as far as saying that this is a sign of disrespect towards judicial processes.
It's a fairly routine argument by the defense (we're being singled out/the regulations are unclear). And regarding federal enforcement, there's a lot of hamstringing by Congress.
All that to say, this is arguably a good sign of the FTC properly enforcing, not a reason for pessimism.
I hope you're right. :)