“This is a company that has a lot of legacy infrastructure. It is what makes Ticketmaster possible. But that comes with a lot of legacy risk,” she said. “Old software and old hardware and old policies and procedures, that all introduces a lot of additional risk.”

Britton White, who publicly says that he works in cyberthreat intelligence for an unidentified private sector firm, posted on LinkedIn that a Ticketmaster software partner, EPAM, had an employee account breached where the attacker took over remote control of the victim’s system.

That attack method, White said in an interview, allows the attacker to avoid multi-factor authentication defenses and bypass two-factor authentication, “stealing the session tokens and cookies. With that level of access, these organizations just won’t know that they have been breached.”

However, he said that he couldn’t prove that that was the means of attack in this case.

Matt Harrigan, a VP at Leviathan Security, said that it was not clear whether the payment card data supposedly stolen would be sufficient to allow for fraudulent transactions.

Appropriate precautions

“You can’t buy a Ferrari with the last four digits of a payment card,” Harrigan said, adding that it appeared Ticketmaster had taken the appropriate precautions to protect cardholder data.