This code had been altered by some malicious person back in February and the problems began at that point, he said.
"(Digital bank) Monzo provided a timeline around how they discovered fraudulently Mastercard transactions tied to Ticketmaster in April 2018, including a visit from Ticketmaster," Beaumont added.
"Ticketmaster’s statement, by contrast, says they discovered the issue in June 2018 – I presume two months was taken to identify the issue being the Inbenta integration."
"Businesses should make a risk assessment around this – not just due diligence, but seriously assess the risk and impact of a breach of a third party on their business.
Beaumont said that while companies were investing in PCI standards, compliance, risk, resourcing and encryption, attackers were looking for other links in the chain that they could exploit.
"Cracking AES encryption? Not happening soon," he said. "Breaking into the webserver of a chatbot provider? Yes, that is happening. As Inbenta point out in their incident report, a single line of HTML code in Ticketmaster’s website led to this issue.
"The canary is dead. Check your supply chain. Because attackers are."
Adenike Cosgrove, who is in charge of cyber security at security firm Proofpoint, told iTWire that the Ticketmaster incident was one of the first major international breaches of EU personal data reported after the GDPR enforcement date.
She said this made it "a case to watch with regard to consequences. Questions will be asked first and foremost about how sensitive personal data including payment information was shared, unencrypted, with a third-party application".
Damien Manuel, chairman of the lobby group Australian Information Security Association, commended Ticketmaster "for disclosing the data breach quickly and providing notification to affected customers encouraging them to be vigilant and check for fraudulent credit card transactions".
"This latest incident highlights the need for supply chain governance, as cyber criminals are now attacking the weakest points in the supply chain to gain access to data that can be monetised. The banking sector is very mature in this space and under APRA (Australian Prudential Regulation Authority) requirements, regular security audits are performed across the supply chain."