As the holidays approached, some unlucky venue-goers at Madison Square Garden (MSG) properties were treated to a not-so-great gift: news that their credit cards were hacked.
The breach affected some of New York City’s most famous venues, including Madison Square Garden, Theatre at Madison Square Garden, and Radio City Music Hall, and Beacon Theater as well as Chicago Theater. Card numbers, cardholder names, verification codes and expiration dates are all thought to be at risk of being stolen from MSG point-of-sales (POS) systems.
The payment processing system hack lasted approximately a year, from Nov. 9, 2015 to Oct. 24, 2016. MSG hasn’t disclosed how cards are affected but it did say that not all cards used during this time frame are victims of the hack attack. The hack only involved physical cards used at one of the MSG venues and not cards used on MSG websites or at the box offices or on any other third-party ticketing platforms.
MSG said in a statement it “identified and addressed issues resulting from external unauthorized access to MSG's payment processing system at five of its properties. After learning of a transaction pattern indicating a potential data security concern, MSG immediately initiated an investigation and engaged leading computer security firms to examine its network, fix the issue and implement enhanced security measures.” The breach is under investigation by the authorities.
“It sounds like the hackers gained access to data that is contained in the magnetic stripe on the back of payment cards swiped in person to purchase merchandise and food and beverage items at the properties,” said John Christly, CISO, Netsurion, a managed security solutions company. “Venues like Madison Square Garden and Radio City Music Hall that have multiple food, beverage and retail locations on-site must be armed with better tools and increased cyber-intelligence to ward off and alert to these kind of attacks.”
Why do people hack? According to Andrew Kroening, CFE and creative services director, Wisconsin State Fair, West Allis, which was also a recent hacking victim, there are many reasons: vulnerability scanning; to infect a system with malware; monetary gain; information leakage; website vandalism and server disruption.
Potential threats to a system include updates, backdoor intervention, security breaches, plug-ins and outdated software, according to Kroening.
He also said that websites that use standard web-building packages like WordPress, Blogger and Drupal are the most vulnerable. “Third-party access, plug-ins, widgets, and outdated scripts can cause a lot of destruction,” he said.
Warning signs of a breach are extended load times, anomalies to webpages, redirection, modified server files and site outage. “You don’t want to end up on the Google-blacklist,” he said.
It is no longer just a case of setting up a typical firewall and letting it run without constant, vigilant monitoring. Fine-tuning and safeguarding the data is interconnected with other systems, Christly added.
In June of this year groups of so-called "hacktivests" were carrying out Distributed Denial of Service (DdoS) attacks on rodeo websites. In these attacks, an attempt is made to render a webpage unavailable to its intended users and webpages may become temporarily or indefinitely interrupted.
“Recently there has been a renewed effort by these groups to again target the sport of rodeo,” said Jed Pugsley, Livestock Program Administrator, Professional Rodeo Cowboys Association. “We told our members to talk to their website hosting provider to ensure that their webpage was secure.”
“Free website hosting providers are the least secure and provide the least protection from such attacks,” he said. “Webpages where financial information is exchanged, like ticket sales, may make your page a bigger target.” He also stressed that the geographical location of a rodeo, the size of the rodeo and past activist issues may also make certain rodeos bigger targets.
“These hactivests continue to be very open about their actions on social media sites,” said Pugsley. “The language they use in their posts continues to escalate.”
“Many companies think they are protected using some of the tools from their tool belts, but that’s not the case anymore,” said Christly. “The hackers are sophisticated and know how to get around a lot of the systems we think are protecting us. I would urge all companies to enhance their tools. These days it’s vital to watch the data flow through the network to hopefully catch breaches from happening in the first place, or at least stop the damage sooner than later.”
“Some of these breaches may look like normal web traffic that will be ignored by a typical firewall,” explained Christly. “These advanced attacks can cause some real damage.”
Wisconsin State Fair’s hacking crisis caught Kroening and his staff off guard. “During the holiday season we noticed that the search engine results for our website was issuing a redirect to a Viagra company in Mexico,” he said. “We had to go through all our code to see what updates had been made. It was hours of work. The problem was a plug-in we had. “We’ve taken a lot of steps to make sure that doesn’t happen again.”
Kroening said that backups are the key to fixing a hack like the one made against the Wisconsin State Fair. “We went to a specialized malware scan provider and were successful at pulling out the files that were related to the malware that had been placed there.”
The next step was to notify Google and follow a series of steps that identified what the problem was, how they rectified it and submitting the site to be re-indexed.
Kroening offered solutions. “Antivirus and malware scans are your number one tool,” he said. “Have clean backups ready; have backups stored daily, weekly and monthly.”
He also advised changing passwords often; using unique strong passwords; limiting the number of administrative accounts that allow access and the ability to make changes to a website; doing vulnerability scanning; using multifactor user authentication and having a system that alerts the main web manager to all log-ins with a log-in alert.
Kroening said Wisconsin State Fair increased its digital presence 15 percent this year and web-based traffic increased 40 percent. Of the web-based traffic, 70 percent of it is now done on a mobile device. “With technology changing, you have to stay on top of these things,” he said. “You have to be vigilant. So much of our marketing is going toward online and we want to keep it as safe as possible.”
“Basically, constant monitoring is the key,” said Kroening.
Interviewed for this story: Andrew Kroening, (414) 562-5292; John Christly, (713) 322-3056; Jed Pugsley, (719) 528-4782