The personal data of hundreds of thousands of zoo and amusement park visitors are available online due to a leak at ticket software provider Ticketcounter. Due to human error, a file containing customers’ bank account numbers, emails, names, and dates of birth, among other things, was put publicly online, the company confirmed to NU.nl.
Dozens of Dutch zoos, museums, amusement parks and other places use Ticketcounter to sell their tickets. These include Diergaarde Blijdorp, Apenheul, Duinrell, Keukenhof, and Schaatsbaan Rotterdam. The leaked file contained the data of people who bought tickets at any of the businesses using Ticketcounter software between the beginning of 2017 and 4 August 2020.
Ticketcounter discovered last week that its customer data was being sold online. The company took the file in question offline and deleted it, but it had already been copied. Criminals also tried to blackmail Ticketcounter with the stolen data, demanding 7 bitcoin to delete the data. Ticketcounter told NU.nl that it did not pay the ransom and notified the police.
Ticketcounter cannot say how many companies use its software. “Some partners are still busy informing their customers. That is why we do not want to put them under pressure by mentioning them now,” director Sjoerd Bakker said to the newspaper. “It’s not hundreds of companies, but there are more than dozens.”
Exactly how many customers were affected is also unclear. The file contained 1.5 million to 1.8 million email addresses, though some of them were double if people bought tickets at two different zoos, for example. Bakker thinks it concerned several hundred thousand people.
The involved companies have informed affected customers of the leak.