Central Tickets confirms data breach in which personal user information was made public

Sign up for our breaking news emails for free real-time breaking news alerts sent straight to your inbox

Sign up for our free breaking news emails

Sign up for our free breaking news emails

Theater ticket discount platform Central Tickets has confirmed that there has been a data breach, which has put users’ personal information at risk.

In an email to customers, the company confirmed that the cyber attack took place on July 1, but it only became aware of it in September after being warned by the Metropolitan Police to ‘chat’ about the incident on the dark web.

The company said that a “staging database” used for testing purposes and separate from the main website and app was breached by a “threat actor” and that some previous reports on the incident were “inaccurate” because they included figures that ” crossed boundaries’. size of our customer base”.

CEO Lee McIntosh said the company has since conducted an investigation and confirmed that names, email addresses, mobile numbers and hashed passwords of “some” users had been accessed.

He said the company reported the incident to the Information Commissioner’s Office (ICO), the data protection regulator, as soon as it became aware of the breach.

However, he did not confirm the number of affected users.

In an email to customers, Mr McIntosh said: “You may be aware that there has been a data breach. As Chief Executive Officer, I recognize the seriousness of the situation and would like to apologize unreservedly for any inconvenience or concern this may have caused.

“We have confirmed that a data breach occurred in a staging database, hosted on a separate server, due to unauthorized access by a threat actor.

“This test environment, which is used for testing purposes only, is isolated from our main website and app. The breach, which occurred on July 1, 2024, exposed various personally identifiable information (PII) of some of our members.

“On September 11, 2024, the Metropolitan Police informed us of rumors on the dark web indicating that a breach may have occurred.

“Prior to this, we had no knowledge or indication that our systems had been compromised. The initial police report did not provide specific details or sources, making it difficult to immediately verify the situation as we had no direct insight into the data involved.”

“As required by law, we immediately reported the breach to the Information Commissioner’s Office (ICO) on September 13, 2024, providing all information available to us at the time, within the mandatory 72-hour reporting period.”

Mr McIntosh added that Central Tickets had received a summary report on the breach late last week from the external cyber security team it was working with to investigate the attack, and had since continued its investigation to “help us better understand the situation” before informing customers about the attack.

In its message to customers, the company warned that those affected could now be the target of phishing attempts by cybercriminals, and urged users to “remain vigilant” and “keep a close eye on your accounts and exercise caution with suspicious phone calls, emails, text messages, or websites that may be phishing or scams.”

As part of its own security measure, Central Tickets said it had locked down the affected staging database, implemented a forced password reset for all members and conducted an audit of its IT infrastructure.

“We deeply regret that some of you learned about this breach from external sources before we could complete our investigation,” Mr McIntosh said.

“Due to the limited information initially available and conflicting reports, we needed time to gather the facts and ensure we had a full understanding of the extent of the breach before notifying you.

“We are doing everything we can to prevent a recurrence. Cybersecurity is a growing challenge for businesses and we are investing in proactive defenses to secure your data into the future.”

An ICO spokesperson said: “Central Tickets has reported an incident to us and we are assessing the information provided.”

The Metropolitan Police and the National Cyber ​​Security Center (NCSC) have been contacted for comment.