Ticketcounter leaks data for millions of people, didn’t delete sensitive data and was outed

Data of visitors to Diergaarde Blijdorp, Apenheul, Dierenpark Amersfoort and dozens of other theme parks are on the street. Ticket seller Ticketcounter is also extorted for 3 tons.

An employee accidentally posted data online where they didn’t have to. As a result, the data could be found there for months (from 5 August 2020 to 22 February 2021). The data is then offered for sale on the dark web.

This mainly concerns data of people who have purchased day tickets via the website.

Source: Groot datalek bij Ticketcounter, ook hack bij InHolland – Emerce

It turns out they kept all this data they shouldn’t have.

The database contained the data of 1.5 million people who had purchased a ticket through Ticketcounter. These include their names, email addresses, telephone numbers, dates of birth and address details. If people with iDEAL have paid for their entrance ticket, their bank account number (IBAN) has also fallen into the wrong hands.

Source: Datalek Ticketcounter treft ook bezoekers musea en attracties

Why did they keep all this data? And why wasn’t it encrypted?

It was leaked when someone made a backup which a) wasn’t encrypted and b) was placed somewhere stunningly easy to find. Now they are being extorted to the tune of 7 BTC which they are not planning to give.

Ticketcounter makes it sound like they are some kind of victim in this but their security practices are abysmal and hopefully they will be fined a serious amount.

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com