Central Tickets, a UK-based discount theatre platform, has confirmed it experienced a data breach that compromised its users’ personal information. The breach occurred on July 1, 2024, but the company was unaware of the incident until September when the Metropolitan Police alerted it to “chatter” on the dark web regarding the leak.
The company recalled that the breach affected a “staging database” used solely for testing purposes, separate from its main platform and app. According to Central Tickets, this database was infiltrated by a threat actor, leading to unauthorised access to personally identifiable information (PII), including the names, email addresses, mobile numbers, and hashed passwords of an unspecified number of users, reports Independent.
In an email to affected customers, Central Tickets’ chief executive, Lee McIntosh, expressed regret over the incident. “I acknowledge the seriousness of the situation and would like to offer my unreserved apology to you for any distress or concern this may have caused,” McIntosh said.
He also clarified that some earlier reports overstated the scale of the breach, with numbers “exceeding the size of our customer base.”
After being notified by the Metropolitan Police, the company reported the incident to the Information Commissioner’s Office (ICO) on September 13, 2024, complying with the UK’s mandatory 72-hour reporting requirement for data breaches.
Despite the discovery delay, Central Tickets has not disclosed the exact number of affected users. McIntosh further assured the customers that the hacked servers were different from the main servers and that the breach was contained in that isolated environment.
However, the breach raises concerns for users as the compromised attacks or other scams. Central Tickets has urged users to be cautious, advising them to monitor their accounts and remain vigilant against any suspicious communication.
The company also explained several security measures it took in response to the incident, including locking down the affected database, enforcing a mandatory password reset for all users, and conducting an audit of its IT infrastructure.
In the News: AI chatbots are vulnerable to data theft via hidden Unicode characters
