Ticketmaster, when announcing the breach that saw an unknown third-party access payment details of up to 40,000 customers, blamed the attack on "malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster."
In a statement on the company's website, Torras added that his company received notification of the breach from Ticketmaster on Saturday evening.
"Ticketmaster directly applied the script to its payments page, without notifying our team.
"Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk... The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018."
After being notified, Inbenta conducted its own code audit of both general and customised scripts and concluded that only Ticketmaster was compromised - directly as a result of Ticketmaster's own actions.
"We can fully assure our customers and end-users that no other implementation of Inbenta across any of our products or customer deployments has been affected," the company asserted.
However, Inbenta cannot monitor the particular pages on which customers embed its technology.
Seperately, on Thursday, digital banking service Monzo said it alerted Ticketmaster to the data breach in April, despite the company's claims that it hadn't learnt of the breach until June.
Given these claims that Ticketmaster was sitting on the breach for two months, the firm could potentially face a hefty fine under the EU's new GDPR laws, that require firms to report data breaches without "undue delay, and where feasible, not later than 72 hours after having become aware of it."
The Information Commissioner's Office said it was investigating the breach. µ
What could possibly go wrong...
Committee clams firm failed to implement 'adequate security'
Meme Ban means Meme Ban
It's anonymous data at first but the NYT figured out how to make it personal