600M records exposed in Ticketmaster, Santander breaches: a timeline so far

With 590 million data records exposed between the two incidents, these recent breaches serve as a stark reminder for finance leaders that security threats lurking in your software supply chain can often prove the most deadly, giving rise to financial scams in the aftermath.

How did these breaches happen?

Ticketmaster and Santander were both victims of third-party data breaches. This type of security incident occurs when a third party handling or storing data on behalf of a company (often a software provider) is compromised, exposing the target company’s data.

While the root cause of these security incidents remains unfounded, the mutual link between Ticketmaster and Santander is clear. With Snowflake’s customer list boasting the likes of Adobe, Canva, and Mastercard, cybercriminals could be sitting on even larger caches of compromised data yet to be reported.

Santander, Ticketmaster, and Snowflake breach timeline

14 May, 2024

Santander releases a company statement reporting unauthorised access to one of its databases “hosted by a third-party provider,” but the third party remains unnamed.

27 May, 2024

A post from a recently registered account appears on Russian cybercrime forum Exploit, advertising 1.3 TB of Ticketmaster data, including more than 560 million people’s information, for US$500,000. Compromised data allegedly includes names, addresses, email addresses, phone numbers, credit card details, ticket purchase histories, and more. The same advertisement appeared on rival dark web marketplace BreachForums a day later.

30 May, 2024

ShinyHunters, the hacking group responsible for the recent US telecom AT&T data breach, claims to be selling Santander customer details and staff information totalling 30 million records worth, with a US$2 million price tag.

31 May, 2024

Ticketmaster’s parent company, Live Nation, confirms “unauthorized activity within a third-party cloud database environment containing Company data” and the alleged appearance of  “Company user data for sale via the dark web,”  pending further investigation, in a securities filing dating back to 20 May 2024.

1 June, 2024

The Australian Cyber Security Centre (ACSC) releases a high-alert advisory recommending Snowflake customers enable MFA, disable unused accounts, and investigate unusual user activity.

2 June, 2024

Snowflake acknowledges a potentially “targeted threat campaign against some Snowflake customer accounts” but denies wrongdoing, having “not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.”

3 June, 2024

CISA publishes a cybersecurity advisory alert recommending Snowflake customers take steps to identify unusual activity and conduct further analysis to prevent unauthorised access.

More to come.

What does this mean for AP teams?

Large-scale data breaches are known to increase scam activity – oftentimes months after the initial track occurs. Take, for instance, the Medibank data breach that was linked to 11,000+ other cyber incidents earlier this year. With close to 600 million sensitive data records allegedly in the hands of cybercriminals, AP teams should brace themselves for heightened suspicious activity.

Potential risks to prepare for include:

• Financial fraud and account takeovers enabled by compromised customer data
• Business email compromise (BEC) scams exploiting exposed details
• Misdirected payments to fraudsters impersonating legitimate suppliers
• Regulatory penalties for lack of payment verification and know-your-customer (KYC) controls

How AP teams can defend against post-breach scams

When a data breach occurs, AP teams need to stay informed on the latest updates to ensure they’re on guard during periods of heightened suspicious activity. They should also undergo routine training and awareness programs to ensure adequate financial controls are in place to identify and intercept scam attempts in their tracks.