Central Tickets confirms data breach which exposed personal user information

Discount theatre ticketing platform Central Tickets has confirmed it has been the subject of a data breach, which compromised the personal information of users.

In an email to customers, the company confirmed the cyber attack happened on July 1, but it only became aware of it in September after being alerted by the Metropolitan Police to “chatter” on the dark web about the incident.

The firm said a “staging database” used for testing purposes and separate from its main website and app had been breached by a “threat actor” and that some earlier reports on the incident were “inaccurate” because they had included figures which “exceeded the size of our customer base”.

He said the company reported the incident to the Information Commissioner’s Office (ICO), the data protection regulator, as soon as it had become aware of the breach.

However, he did not the confirm the number of users who had been affected.

In an email to customers, Mr McIntosh said: “You may be aware that we have had a data breach. As chief executive officer, I acknowledge the seriousness of the situation and I would like to offer my unreserved apology to you for any distress or concern this may have caused.

“We have confirmed that a data breach occurred in a staging database, hosted on a separate server, due to unauthorised access by a threat actor.

“This staging environment, used solely for testing purposes, is isolated from our main website and app. The breach, which occurred on 1st July 2024 exposed various personal identifiable information (PII) belonging to some of our members.

“On 11th September 2024 the Metropolitan Police informed us of chatter on the dark web indicating that a breach may have occurred.

“Prior to this, we had no knowledge or indication that our systems had been compromised. The initial police report did not include specific details or sources, making it difficult to verify the situation immediately, as we had no direct visibility of the data involved.”

“As required by law, we promptly reported the breach to the Information Commissioner’s Office (ICO) on 13th September 2024, providing all the information available to us at the time, within the mandatory 72-hour reporting window.”

In its message to customers, the company warned that those affected could now be the targets of phishing attempts from cybercriminals, and urged users to “remain vigilant” and to “monitor your accounts closely and be cautious of any suspicious calls, emails, texts, or websites that could be phishing or scams”.

As part of its own safety response, Central Tickets said it had locked down the affected staging database, introduced a forced password reset for all members, and carried out an audit of its IT infrastructure.

“We deeply regret that some of you may have heard about this breach through external sources before we could complete our investigation,” Mr McIntosh said.

“Due to the limited information initially available and conflicting reports, we needed time to gather the facts and ensure we had a full understanding of the scope of the breach before informing you.

“We are committed to doing everything possible to prevent a recurrence. Cybersecurity is a growing challenge for businesses, and we are investing in proactive defences to secure your data in the future.”

An ICO spokesperson said: “Central Tickets reported an incident to us and we are assessing the information provided.”

The Metropolitan Police and the National Cyber Security Centre (NCSC) have been contacted for comment.