On Wednesday 27 June, international ticketing giant Ticketmaster announced that tens of thousands of its customers may have had their payment details stolen as part of a data breach.
The news broke late on Wednesday, and FieldHouse Associates (and probably every other communications agency with cyber security clients) jumped into action.
We were quick. After seeing the news at around 5:30, we had comment out the door by 6pm. Somebody beat us to the punch, though. By about two months, in fact. But it wasn’t a rival agency – it was Monzo.
Monzo is a challenger bank with more than 600,000 customers. For a long time now, the term “challenger” has been associated with these sorts of businesses, but it’s been used in a relatively ambiguous way. It’s no secret that Monzo does things differently to most banks, with an app-first, people-led approach. But perhaps for the first time, the traditional banking industry has seen what a challenger bank can really do differently.
According to Monzo’s blog, the team first started receiving reports of suspicious transactions back in April. The team immediately cancelled the affected cards – standard procedure for any bank. But Monzo went one step further.
The team ran some analysis on the transactions, and found a pattern: “70% of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster.”
The team alerted Ticketmaster (and the US Secret Service!) of their findings, and proactively replaced any customer card that had been used on the Ticketmaster website – around 6,000.
What’s worrying is that, according to Monzo, Ticketmaster’s own internal investigation concluded on 19 April having found no evidence of a breach, citing that no other banks had reported fraudulent transactions.
I repeat: no other banks reported fraudulent transactions. Of course, this is largely reliant on customers reporting any issues, but it seems strange that only Monzo customers noticed anything nefarious.
It took until 21 June for Mastercard to issue an alert, and until last night for Ticketmaster to publicly declare the breach.
When you consider the sheer amount of data traditional banks have, as well as the available infrastructure to manage and analyse that data, it’s alarming that a business which only got its banking licence in April last year managed to beat Ticketmaster, Mastercard, and all the high street banks to the punch.
Even if it’s as simple as Monzo’s push notifications via the app alerting customers to transactions they didn’t recognise, that’s a lesson for traditional banks – how something that simple can be so effective.
The public nature of this breach could be a tipping point for Monzo. Perhaps for the first time, it has put real meaning behind the term “challenger bank”. Either way, whether it meant it to be or not, it’s a real statement of intent for Monzo, and a wake up call for the finance industry.