Another Entry Point: Chatbots and Vendors

This probably isn’t the first time you’ve heard this, but artificial intelligence (AI) is the future. In fact, it’s already making a huge impact on our lives in ways you may not have considered.

Take chatbots, for example. They undoubtedly make customers’ lives easier. Whether it’s booking an appointment or agreeing to terms on a new credit card, this usage of AI is very popular and will likely only grow in popularity.

Frequently lost in this conversation, however, is whether or not these systems are secure. Oftentimes put in place and managed by third-party vendors, your organization may not know if your chatbot provider is doing everything they can to protect your customers’ private information.

One large company recently found this out the hard way.

The Attack

Ticketmaster, the ticket sales and distribution company, recently warned their customers of a breach that was carried out via a chatbot system run by their vendor, Inbenta Technologies.

“As a result of Inbenta’s product running on Ticketmaster International websites, some of our customers’ personal or payment information may have been accessed by an unknown third party,” Ticketmaster announced.

Essentially, what happened is an attacker gained access to Inbenta’s system and planted malicious code, allowing these cybercriminals to extract valuable information from Ticketmaster’s users as they were making transactions.

Of course, Inbenta is pointing the finger back at Ticketmaster. In a statement released by CEO Jordia Torras, he explains that, “Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements. This code is not part of any of Inbenta’s products or present in any of our other implementations.”

It appears that through this Javascript code attackers were able to access the system. Regardless of whose fault this is, Ticketmaster believes that up to 40,000 UK customers were affected and have offered them 12 months of free identity theft protection as a way to make amends.

What it Means for You

There’s a lot to take away from this breach, but the most important lesson is perhaps found in the interaction between Ticketmaster and their vendor. While it appears Ticketmaster had a hand to play in this breach by modifying the chatbot code provided by Inbenta, Inbenta also was either not aware or failed to warn Ticketmaster of the consequences of manipulating the code or deviating from it’s suggested application.

In short, a lack of communication and a failure to ensure this modification wouldn’t upset Ticketmaster’s network security led to an easily avoidable breach.

This is something no organization should have to deal with. When you select your vendors for high-demand tools like chatbots, you need to be 100% confident that they adhere to all cybersecurity best practices and your organization needs to have a process in place through which any independent modifications to this vendor’s services are checked and vetted for safety.

Services like our IT Security Assessment will evaluate all levels of your organization, test for potential weak points and educate your employees on essential cybersecurity best practices — steps that can help you avoid a situation like the one profiled here.

Remember, customers don’t just forget when you let their personal information fall into the wrong hands. Take every step you can to validate your organization’s security posture and keep these cybercriminals at bay.

Posted in BAI Security Blog and tagged , .