Central Tickets confirms data breach which exposed personal user information

The London-based theatre ticketing platform said its network had been breached in July and that user records had been accessed in the hack.

Martyn Landi
Monday 14 October 2024 08:54 EDT
Discount theatre ticketing platform Central Tickets has confirmed it has been the subject of a data breach, which compromised the personal information of users (Tim Goode/PA)
Discount theatre ticketing platform Central Tickets has confirmed it has been the subject of a data breach, which compromised the personal information of users (Tim Goode/PA) (PA Wire)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Discount theatre ticketing platform Central Tickets has confirmed it has been the subject of a data breach, which compromised the personal information of users.

In an email to customers, the company confirmed the cyber attack happened on July 1, but it only became aware of it in September after being alerted by the Metropolitan Police to “chatter” on the dark web about the incident.

The firm said a “staging database” used for testing purposes and separate from its main website and app had been breached by a “threat actor” and that some earlier reports on the incident were “inaccurate” because they had included figures which “exceeded the size of our customer base”.

I acknowledge the seriousness of the situation and I would like to offer my unreserved apology to you for any distress or concern this may have caused

Central Tickets chief executive Lee McIntosh

Chief executive Lee McIntosh said the firm has since carried out an investigation and confirmed that names, email addresses, mobile numbers and hashed passwords of “some” users had been accessed.

He said the company reported the incident to the Information Commissioner’s Office (ICO), the data protection regulator, as soon as it had become aware of the breach.

However, he did not the confirm the number of users who had been affected.

In an email to customers, Mr McIntosh said: “You may be aware that we have had a data breach. As chief executive officer, I acknowledge the seriousness of the situation and I would like to offer my unreserved apology to you for any distress or concern this may have caused.

“We have confirmed that a data breach occurred in a staging database, hosted on a separate server, due to unauthorised access by a threat actor.

“This staging environment, used solely for testing purposes, is isolated from our main website and app. The breach, which occurred on 1st July 2024 exposed various personal identifiable information (PII) belonging to some of our members.

“On 11th September 2024 the Metropolitan Police informed us of chatter on the dark web indicating that a breach may have occurred.

“Prior to this, we had no knowledge or indication that our systems had been compromised. The initial police report did not include specific details or sources, making it difficult to verify the situation immediately, as we had no direct visibility of the data involved.”

“As required by law, we promptly reported the breach to the Information Commissioner’s Office (ICO) on 13th September 2024, providing all the information available to us at the time, within the mandatory 72-hour reporting window.”

Mr McIntosh added that Central Tickets had received a summary report on the breach from the external cybersecurity team it was working with to investigate the attack at the end of last week, and had since continued its investigation to “help us better understand the situation” before informing customers of the attack.

In its message to customers, the company warned that those affected could now be the targets of phishing attempts from cybercriminals, and urged users to “remain vigilant” and to “monitor your accounts closely and be cautious of any suspicious calls, emails, texts, or websites that could be phishing or scams”.

We are committed to doing everything possible to prevent a recurrence. Cybersecurity is a growing challenge for businesses, and we are investing in proactive defences to secure your data in the future

Central Tickets chief executive Lee McIntosh

As part of its own safety response, Central Tickets said it had locked down the affected staging database, introduced a forced password reset for all members, and carried out an audit of its IT infrastructure.

“We deeply regret that some of you may have heard about this breach through external sources before we could complete our investigation,” Mr McIntosh said.

“Due to the limited information initially available and conflicting reports, we needed time to gather the facts and ensure we had a full understanding of the scope of the breach before informing you.

“We are committed to doing everything possible to prevent a recurrence. Cybersecurity is a growing challenge for businesses, and we are investing in proactive defences to secure your data in the future.”

An ICO spokesman said: “Central Tickets reported an incident to us and we are assessing the information provided.”

A spokesman for the Metropolitan Police said: “On 11 September we spoke to the company to advise them of information circulating suggesting they could have been the victim of a cyber attack.

“They were advised to report the matter to Action Fraud if this was found to be the case.

“At this time there is no Met Police investigation.”

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in