What happened?
On the evening of Saturday, June 23rd, we received notice from our customers at Ticketmaster that the personal data of their users had been compromised.
Upon further investigation by both parties, it was confirmed that the source of the data breach was a single piece of JavaScript code, customized by Inbenta to serve Ticketmaster’s particular requests. The attacker(s) located, modified, and used this customized script to extract the payment information of Ticketmaster customers processed between February and June 2018.
It is extremely important to note that this situation has nothing to do with any of Inbenta’s industry-leading AI and machine learning products and technology, which serve hundreds of customers on six continents. It is very specific to a particular customer implementation.
How did this happen?
After a careful analysis of all clues and snapshots from our systems, the technical team at Inbenta discovered that the script had been implemented on the payment page. We were unaware of this, and would have advised against doing so had we known, as it presents a point of vulnerability.
Who else has been affected?
Inbenta has conducted a detailed analysis of all the file systems used for development and production systems, thoroughly analysing any difference between the original source code and the version in the production environment. We can confirm that just 3 files were altered that affected 3 specific websites for Ticketmaster. No other file has been affected, and therefore we are completely confident that no other customer of Inbenta has been affected.
Do I have to inform my customers?
We are absolutely certain that no scripts or snippets have been altered, and therefore they work the way they were supposed to. That means that there is no risk that any of your data or your customer’s has been affected as a consequence of using Inbenta.
What are you going to do prevent this from happening in the future?
Inbenta’s beginnings were in customer-specific projects, and the culture of our company is one that involves “always putting the customer first.” As such, we have often gone the extra mile to ensure our customers have the kind of implementation they want, customized to their requirements.
One of the advantages of hosting scripts at Inbenta’s servers that are embedded in our customer’s website is the flexibility that Inbenta can offer to our customers to have new functionalities or updates up and running quickly. The downside is that we cannot monitor which web pages our customers are embedding those scripts on and therefore we cannot prevent customers putting them in pages that collect sensitive information.
What else are you doing to improve your security?
Although no customer is at risk at this point, we are working with them to make sure all the customized snippets and javascript files are solely hosted by our customers, so Inbenta’s technology will be solely accessed by our secured, standard RESTful API. Some of our customers are already using this RESTful API as the only access to our technology.
We are working on a forensic analysis and overall revision of our security conducted by an independent third party, and we will share their results with our customers.
The privacy of our users is one of our core values, and we will take every measure to safeguard the personal information of all users who interact with our products.