What Happened
On July 1, 2024, UK-based online ticketing platform Central Tickets (centraltickets.co.uk), which offers discounted access to theater and concert events, suffered a data breach when a threat actor accessed a staging database used for testing, separate from its main systems, compromising personally identifiable information (PII) of approximately 722,860 accounts. Exposed data included full names, email addresses, phone numbers, IP addresses, device information, purchase histories, account creation dates, events attended, and hashed passwords stored insecurely with unsalted SHA-1, making them vulnerable to cracking. The breach was discovered in September 2024 after the Metropolitan Police alerted the company to dark web chatter; hacker “0xy0um0m” attempted to sell the data for $3,000 on BreachForums before publicly leaking it. Central Tickets responded by locking down the database, enforcing password resets, reporting to the ICO within 72 hours per GDPR, engaging a third-party incident response team, and committing to enhanced security like audits and monitoring; CEO Lee McIntosh apologized and warned users of phishing risks.
