It isn't over .... Adele fans' security breached

Some fans buying tickets for Adele's European tour were shocked to see the payment details and addresses from other people's shopping baskets other than their own while attempting to check out.

It isn't over .... Adele fans' security breached
It isn't over .... Adele fans' security breached

Fans of Adele were shocked today when trying to book tickets to her upcoming tour after a possible security breach.

Customers buying tickets to Adele's new tour were shown other people's shopping baskets and bank details. The company Songkick denies any security breach. It has claimed no breach of security occurred and that its systems are secure. It has claimed the odd anomalies occurred because of the volume of people trying to buy tickets at once. Although on the website it is claimed that there is no evidence that credit card numbers or passwords were compromised but that customers should remain vigilant and check their statements.

However it is possible the website (code) may have been written insecurely. According to security commentator Graham Cluely, talking to the BBC, “the thing is this - if the website had been built properly in the first place it shouldn't have been possible for customers to see the details of other purchasers at all - regardless of whether the site was busy or not.”

In an email to SC, Paul Farrington, senior solution architect at Veracode commented: "It's very likely that a combination of code review and Automated Static Analysis would have uncovered this problem before Adele arrived back at the top of the charts. Testing automation can help assess sites in minutes, giving developers peace of mind before their software encounters the public. Adversaries will be watching for other sites that use the same underlying ticketing technology to see if this discovery facilitates further data leakage."

What appears to be a similar issue occurred with the Marks and Spencers site in October when shoppers were complaining they were seeing other customers payment details and shopping baskets. There may be a possible connection to both these cases as they seem like very similar errors in online transactions, with regards to the website showing other people details, but it has not yet been possible to confirm if the same approach had been used by both websites.

Mark James, security specialist at IT Security Firm ESET emailed SC to offer the following explaination of what happened: "The server under heavy load was displaying other people's shopping cart and checkout options; this should never (ever) happen. It should be technically impossible for this happen but when servers are under very heavy loads, processes used to speed up the average browsing session could be responsible for serving up duplicated or incorrect data. The public sees private information from someone else and immediately thinks the worst. The chances of someone actually using this information for ill gains is quite slim but even so it's an indication that something is very wrong somewhere.

"Companies are under constant pressure to protect our data and show the public that they value the said data. This latest incident will do nothing to put our minds to rest, will it stop people ordering tickets to see a blockbusting megastar sing, probably not but you should take measures to protect yourself where possible. Use a separate credit card for internet purchases, one that is easily cancelled if compromised, keep your everyday finances away from it and review your financial statements as regularly as you can.”

Some fans reported their experiences on Twitter, some encountering hour-long online queues, while purchasing the high-in-demand tickets for Adele's first tour since 2011.

Kiran Farmah, in Birmingham, tweeted, “I got through to buying tickets but it came up with someone else's screen with their card details & home address for SSE.”

“Got through, four tickets Glasgow, came up with two tickets for London and someone else's name/address,” said Michael Crow.