Discount theatre ticketing platform Central Tickets has confirmed it has been the subject of a data breach, which compromised the personal information of users.
In an email to customers, the company confirmed the cyber attack happened on July 1, but it only became aware of it in September after being alerted by the Metropolitan Police to “chatter” on the dark web about the incident.
The firm said a “staging database” used for testing purposes and separate from its main website and app had been breached by a “threat actor” and that some earlier reports on the incident were “inaccurate” because they had included figures which “exceeded the size of our customer base”.
Chief executive Lee McIntosh said the firm has since carried out an investigation and confirmed that names, email addresses, mobile numbers and hashed passwords of “some” users had been accessed.
He said the company reported the incident to the Information Commissioner’s Office (ICO), the data protection regulator, as soon as it had become aware of the breach.
However, he did not the confirm the number of users who had been affected.
In an email to customers, Mr McIntosh said: “You may be aware that we have had a data breach. As chief executive officer, I acknowledge the seriousness of the situation and I would like to offer my unreserved apology to you for any distress or concern this may have caused.
“We have confirmed that a data breach occurred in a staging database, hosted on a separate server, due to unauthorised access by a threat actor.
“This staging environment, used solely for testing purposes, is isolated from our main website and app. The breach, which occurred on 1st July 2024 exposed various personal identifiable information (PII) belonging to some of our members.
“On 11th September 2024 the Metropolitan Police informed us of chatter on the dark web indicating that a breach may have occurred.
“Prior to this, we had no knowledge or indication that our systems had been compromised. The initial police report did not include specific details or sources, making it difficult to verify the situation immediately, as we had no direct visibility of the data involved.”
“As required by law, we promptly reported the breach to the Information Commissioner’s Office (ICO) on 13th September 2024, providing all the information available to us at the time, within the mandatory 72-hour reporting window.”
Mr McIntosh added that Central Tickets had received a summary report on the breach from the external cybersecurity team it was working with to investigate the attack at the end of last week, and had since continued its investigation to “help us better understand the situation” before informing customers of the attack.
In its message to customers, the company warned that those affected could now be the targets of phishing attempts from cybercriminals, and urged users to “remain vigilant” and to “monitor your accounts closely and be cautious of any suspicious calls, emails, texts, or websites that could be phishing or scams”.
As part of its own safety response, Central Tickets said it had locked down the affected staging database, introduced a forced password reset for all members, and carried out an audit of its IT infrastructure.
“We deeply regret that some of you may have heard about this breach through external sources before we could complete our investigation,” Mr McIntosh said.
“Due to the limited information initially available and conflicting reports, we needed time to gather the facts and ensure we had a full understanding of the scope of the breach before informing you.
“We are committed to doing everything possible to prevent a recurrence. Cybersecurity is a growing challenge for businesses, and we are investing in proactive defences to secure your data in the future.”
An ICO spokesman said: “Central Tickets reported an incident to us and we are assessing the information provided.”
A spokesman for the Metropolitan Police said: “On 11 September we spoke to the company to advise them of information circulating suggesting they could have been the victim of a cyber attack.
“They were advised to report the matter to Action Fraud if this was found to be the case.
“At this time there is no Met Police investigation.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here