Ticketcounter data breach and extortion
A Dutch e-ticketing platform left a database backup exposed on an unsecured Azure server; an attacker downloaded the data on 1.9 million people and demanded 7 bitcoin (~$337,000) not to leak it.
- Victim
- Ticketcounter
- records
- 1.9M
- users
- 1.9M
In early 2021, the Dutch e-ticketing platform Ticketcounter β which sells admission tickets for zoos, museums, amusement parks and other attractions across the Netherlands β disclosed a data breach affecting 1.9 million people, followed by an extortion demand. The root cause was not a sophisticated intrusion but a misconfigured cloud server that left a full database backup exposed to the internet.
What happened
In August 2020, Ticketcounter copied a production database to a Microsoft Azure server in order to test an anonymisation process that replaces real personal data with fake values. As CEO Sjoerd Bakker later explained, after the database was copied it was not secured properly, leaving the backup accessible to anyone who found it.
In February 2021, an attacker located the exposed backup and downloaded the entire dataset. On 22 February 2021, the attacker contacted Ticketcounter directly and demanded 7 bitcoin β roughly $337,000 at the time β not to leak the data publicly. Ticketcounter did not pay, and the data was subsequently offered for sale on a hacking forum.
Impact
- The breach exposed 1.9 million unique email addresses. For affected individuals the records also included names, physical addresses, IP addresses, genders, dates of birth, payment histories, and in some cases bank account numbers.
- The combination of identity and financial data created elevated risk of phishing, fraud, and account-takeover against affected customers.
- The dataset was ingested into Have I Been Pwned, allowing affected users to check their exposure.
- Although Ticketcounter refused the ransom, the public circulation of the data meant the damage to customers was effectively done.
Why it matters
The Ticketcounter breach is a clear illustration of how cloud misconfiguration β not advanced attacker tradecraft β drives a large share of modern data exposures. A routine engineering task (testing an anonymisation pipeline) on an unsecured Azure instance was enough to compromise nearly two million people. It reinforced several enduring lessons: production data should never be copied into test environments without strict access controls; cloud storage must default to private and be continuously audited; and paying an extortion demand offers no guarantee once data has already been exfiltrated. For a mid-sized platform handling sensitive payment-adjacent data, the incident also highlighted the disproportionate reputational and regulatory exposure that GDPR places on even unintentional leaks.
Financial impact
Reported costs in USD
Timeline
Ticketcounter copies a production database to a Microsoft Azure server to test an anonymisation process, but fails to secure it.
An attacker discovers the exposed backup and downloads the full database of 1.9 million unique records.
The attacker contacts Ticketcounter and demands 7 bitcoin (~$337,000) to prevent public release of the data.
Ticketcounter publicly confirms the breach after the data is offered for sale on a hacking forum.
The 1.9 million email addresses and associated personal data circulate on breach forums; Have I Been Pwned ingests the dataset.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/european-e-ticketing-platform-ticketcounter-extorted-in-data-breach/
- haveibeenpwned.comhttps://haveibeenpwned.com/Breach/Ticketcounter
- bankinfosecurity.euhttps://www.bankinfosecurity.eu/ticketcounter-data-stolen-from-unsecured-server-a-16101
- seclists.orghttps://seclists.org/dataloss/2021/q1/143