See Tickets’ Credit Card Skimming Breach Caused by Malware in Tracking Software

Executives at one of the largest independent ticketing companies in North America believe malware hidden inside a tracking pixel used for sending customers target advertisements was the source of two-and-a-half-year credit card skimming operation. 

Company officials with See Tickets North America, a subsidiary of French entertainment conglomerate Vivendi, tell Billboard that criminals were able to operate a sophisticated credit card skimming fraud on See Tickets checkout pages. While See Tickets officials didn’t detail which events were impacted, the company is one of the largest ticketing sites for indie promoters in North America with clients that include Pitchfork Festival and Disco Donnie Presents’ Freaky Deaky festival, as well as venues like the Troubadour in West Hollywood, California. 

Tracking pixels are typically used to identify customers and share information about the consumer with ad networks and other large technology companies. One popular use of tracking pixels in the events business is to serve ads to fans who visited a music festivals website but did not purchase tickets, in hopes of enticing them to make a purchase.  

Company officials believe that an exploit in the pixel See Tickets was using allowed criminals to take snap shots of credit card transactions as they happened without having to break into See Tickets system or database. The malicious code first appeared on the site on June 25, 2019, about nine months before the COVID-19 pandemic forced the shutdown of the live entertainment industry.  

“At See Tickets we take securing customer information very seriously and deeply regret this incident occurred,” Boris Patronoff, CEO of See Tickets North America, told Billboard in a statement. “We also understand how this may have negatively impacted on our clients and their customers. We conducted an immediate investigation as soon as the issue was discovered and communicated with clients and customers the moment it was possible to do so. We have since taken additional measures to further strengthen our security,.”  

Company officials became aware of the security breach in April 2021 after being contacted by credit card investigators looking at fraudulent charges linked to purchases on See Tickets website site. Within days of being notified, the ticketing company hired two forensic investigation teams to investigate the breach. In January of this year, the malicious code was eradicated from the site.  

Last month, See Tickets concluded its investigation and began notifying state law enforcement officials with the details of the breach. While See Tickets’ own customer and promoter data was not accessed during the breach, criminals were able to obtain details from credit card transactions including full name, address, card number, expiration date and CVV. 

See Tickets says a majority of ticket buyers who used the site were not impacted by the breach and note that social security numbers, state identification numbers and bank account information was not exposed due to this incident, as they are not stored in its systems.  

The breach is the second major hack of a ticketing company in five years. In 2018, hackers briefly took over the Ticketfly home page and took parts of the company offline for months grinding much of the independent music industry to a halt. Ticketfly users and client data were stolen during the attack and wound up on the dark web because of the attack. 

Dave Brooks

Billboard