Anatomy of a Breach

Anatomy of a Breach: Ticketmaster UK and Dixons Carphone — The UK's Summer of Breaches Under GDPR

> series: anatomy_of_a_breach —— part: 114 —— targets: ticketmaster_uk + dixons_carphone —— context: first_month_of_gdpr<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2018 13 min read
ticketmaster dixons-carphone magecart uk-breach gdpr supply-chain payment-cards series
Breach #114

GDPR was five weeks old. Two major UK breaches hit simultaneously.

On 27 June 2018 — just 33 days after GDPR came into force — Ticketmaster UK disclosed that a malicious JavaScript payload embedded in a third-party customer support chatbot (provided by Inbenta Technologies) had been used to skim payment card details from up to 40,000 UK customers. The attack was an early example of Magecart — a collective term for threat groups that inject card-skimming JavaScript into e-commerce websites. The malicious code captured card numbers, expiry dates, and CVVs as customers entered them on the Ticketmaster checkout page.

Days earlier, Dixons Carphone had disclosed a breach affecting approximately 10 million customer records and 5.9 million payment card details — a breach that had been active since July 2017, predating GDPR. The ICO would later fine Dixons Carphone £500,000 under the pre-GDPR DPA (since the breach occurred before 25 May 2018) and Ticketmaster £1.25 million under GDPR. The twin disclosures — both involving UK household names, both involving payment card data, both in the first weeks of GDPR — put UK corporate cybersecurity under intense public and regulatory scrutiny.

Magecart
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The supply chain skimmer that would define 2018.

The Ticketmaster breach introduced the UK public to Magecart — a threat methodology where attackers inject malicious JavaScript into e-commerce websites (either directly or through compromised third-party scripts) to capture payment card data in real-time as customers enter it during checkout. Unlike traditional card breaches that target databases or POS systems, Magecart operates in the browser — capturing data before it reaches the server.

Third-Party Script Compromise
The Ticketmaster attack came through a third-party chatbot script — code from Inbenta Technologies that was loaded on Ticketmaster's payment pages. By compromising the third party, attackers could inject skimming code onto Ticketmaster's site without directly breaching Ticketmaster. This supply chain vector — compromising vendors whose scripts run on your pages — is assessed in our <a href="/penetration-testing/web-application">web application testing</a>.
Real-Time Card Skimming in the Browser
Magecart captures card data as the customer types it — before the data reaches the server, before encryption, before any server-side security control can act. Defence requires Content Security Policy (CSP) headers, Subresource Integrity (SRI) checks, and continuous monitoring of third-party scripts. Our <a href="/penetration-testing/web-application">application testing</a> verifies these controls.
E-Commerce Under Attack
Magecart would go on to compromise <a href="/blog/anatomy-of-a-breach-british-airways-magecart">British Airways</a>, Newegg, and hundreds of other e-commerce sites in 2018 alone. For UK <a href="/blog/sector-under-the-microscope-retail">retailers</a>, Magecart defence is now a baseline requirement. <a href="https://www.socinabox.co.uk/sectors/retailers">SOC in a Box for Retail</a> monitors for script injection and skimming activity.
First GDPR Enforcement Tests
The Ticketmaster and Dixons breaches were among the first major tests of GDPR enforcement. Ticketmaster was fined £1.25 million under GDPR; Dixons Carphone £500,000 under the pre-GDPR DPA. The distinction highlighted the importance of when a breach occurred relative to the GDPR enforcement date.
Lessons

Third-party scripts on payment pages are your responsibility.

The Ticketmaster breach established that organisations are responsible for the security of third-party code running on their payment pages. Under GDPR and PCI DSS, the fact that a compromise came through a vendor's script does not absolve the organisation hosting the script. Web application testing assesses third-party script security, Content Security Policy implementation, and Subresource Integrity deployment. PCI DSS testing validates payment page security. Cyber Essentials establishes baseline controls. SOC in a Box monitors for script injection in real-time. And UK Cyber Defence provides incident response when Magecart-style attacks are detected.

Payment Page Security

Magecart compromised Ticketmaster through a chatbot script. What third-party scripts run on your payment pages?

Our <a href="/penetration-testing/web-application">web application testing</a> assesses third-party script security. <a href="/penetration-testing/pci-dss">PCI DSS testing</a> validates payment page controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for script injection.

Commission a Web App Test Next: SingHealth
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2018

Anatomy of a Breach: British Airways — 380,000 Payment Cards Skimmed and a Record £183 Million GDPR Fine Proposed

Breach #117. On 6 September 2018, British Airways disclosed that the personal and financial details of approximately 380,000 customers had been stolen through a Magecart-style card-skimming attack on its website and mobile app between 21 August and 5 September 2018. The attackers had modified JavaScript on BA's payment page to capture card details in real-time. The ICO initially proposed a record £183 million fine under GDPR — later reduced to £20 million. The breach was the UK's defining GDPR enforcement moment and the most significant test of the new regulatory framework.

british-airways magecart
14 min read
Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
Anatomy of a Breach 31 August 2022

Anatomy of a Breach: NHS Advanced and LastPass — A UK Healthcare MSP and a Password Vault Both Compromised

Breach #164. August 2022 brought two significant breaches. On 4 August, Advanced — a managed service provider for the NHS — was hit by ransomware that disrupted NHS 111, the non-emergency health line, as well as patient referral, ambulance dispatch, and out-of-hours GP services across England. Simultaneously, LastPass disclosed that an attacker had breached a developer's account and stolen source code — an initial intrusion that would ultimately lead to the theft of customers' encrypted password vaults (disclosed in December 2022). Both breaches demonstrated that the tools and services organisations trust most — their MSP and their password manager — create the greatest supply chain risk when compromised.

nhs-advanced lastpass
14 min read
All Posts Get in Touch