Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack and Breach.

Total Financial Loss: The total financial loss from these incidents is estimated to be $100 million.

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (mlb issued public statements and implemented security updates), and containment measures with account lockouts, containment measures with password reset enforcement, containment measures with security patch deployment, and remediation measures with enhanced authentication prompts, remediation measures with fraud monitoring, remediation measures with user education on password hygiene, and recovery measures with ticket replacement for affected fans, recovery measures with customer support escalation, and communication strategy with public apology, communication strategy with media statements, communication strategy with in-app notifications for password updates, and enhanced monitoring with yes (fraud detection for ticket transfers)..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Credential Stuffing (using leaked passwords from other breaches).

Average Financial Loss: The average financial loss per incident is $25.00 million.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Sensitive Data, , Facial Recognition Data, Selfies, , Account Credentials (From External Breaches), Ticket Ownership Data and .

Incident Response Plan: The company's incident response plan is described as Yes (MLB issued public statements and implemented security updates).

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Enhanced Authentication Prompts, Fraud Monitoring, User Education on Password Hygiene, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by account lockouts, password reset enforcement, security patch deployment and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Ticket Replacement for Affected Fans, Customer Support Escalation, .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Pending (Illinois legal complaint filed), .

Key Lessons Learned: The key lessons learned from past incidents are The urgent need for enhanced cybersecurity measures to protect against evolving cybercriminal activities.Credential stuffing remains a pervasive threat, especially for apps handling high-value assets like event tickets.,Convenience features (e.g., 'effortless ticket sharing') can become attack vectors if not secured with MFA or rate limits.,Consumer password hygiene continues to lag, necessitating proactive measures like enforced MFA or password managers.,Secondary markets for tickets create incentives for fraud, requiring real-time fraud detection in transfer functionalities.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Monitor dark web forums for stolen MLB-related credentials or fraud tutorials targeting the app., Enforce multi-factor authentication (MFA) for all account actions, especially ticket transfers., Partner with identity verification services to flag credentials known to be compromised in other breaches., Consider rate-limiting ticket transfers or requiring additional verification for high-value transactions., Audit and restrict ticket-transfer functionalities to prevent bulk or suspicious forwards., Implement behavioral analytics to detect anomalous ticket-sharing patterns (e.g., rapid transfers to new accounts). and Educate users on password hygiene and risks of credential reuse via in-app prompts and email campaigns..

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: SOAX Study, and Source: SOAX, and Source: SporticoUrl: https://www.sportico.com/leagues/baseball/2024/mlb-ballpark-app-ticket-theft-12346789Date Accessed: 2024-09-15, and Source: Reddit (r/baseball)Url: https://www.reddit.com/r/baseball/comments/xyz123/mlb_ballpark_app_tickets_disappearing/Date Accessed: 2024-09-14, and Source: U.S. Federal Trade Commission (FTC) Report on Fraud LossesUrl: https://www.ftc.gov/news-events/news/press-releases/2024/02/new-ftc-data-show-consumers-reported-losing-more-10-billion-fraud-2023Date Accessed: 2024-09-10, and Source: Binary Defense Threat ReportUrl: https://www.binarydefense.com/credential-stuffing-attacks-up-24-in-2024/Date Accessed: 2024-09-05.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Apology, Media Statements and In-App Notifications For Password Updates.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Mlb Urged Fans To Update Passwords And Enable Mfa Where Available., In-App Notifications And Email Alerts Sent To Users About Account Security. and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Yes (Fraud detection for ticket transfers).

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Deployed Security Patches To Restrict Unauthorized Transfers., Enhanced Monitoring For Credential Stuffing Attempts., Public Campaign To Promote Password Updates And Mfa Adoption., Legal Review Of Data Security Obligations (Per Illinois Complaint)., .

Last Attacking Group: The attacking group in the last incident was an Opportunistic CybercriminalsAccount Takeover (ATO) Groups.

Most Recent Incident Detected: The most recent incident detected was on 2024-09-01T00:00:00Z.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-09-12T00:00:00Z.

Highest Financial Loss: The highest financial loss from an incident was Undisclosed (Individual cases include $100,000 in fraudulent 'Wicked' ticket purchases via stolen credit cards in a related incident; broader consumer fraud losses exceeded $12.5B in 2024 per FTC).

Most Significant Data Compromised: The most significant data compromised in an incident were Sensitive Data, , 56 million individuals' data, Facial recognition data, Selfies, , Account Credentials, Ticket Ownership Records, Payment Information (in related incidents) and .

Most Significant System Affected: The most significant system affected in an incident was MLB Ballpark App (iOS/Android)SeatGeek IntegrationTicket Transfer Functionality.

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Account LockoutsPassword Reset EnforcementSecurity Patch Deployment.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Sensitive Data, Facial recognition data, Account Credentials, 56 million individuals' data, Payment Information (in related incidents), Selfies and Ticket Ownership Records.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 56.0M.

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Pending (Illinois legal complaint filed), .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Secondary markets for tickets create incentives for fraud, requiring real-time fraud detection in transfer functionalities.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Monitor dark web forums for stolen MLB-related credentials or fraud tutorials targeting the app., Enforce multi-factor authentication (MFA) for all account actions, especially ticket transfers., Partner with identity verification services to flag credentials known to be compromised in other breaches., Consider rate-limiting ticket transfers or requiring additional verification for high-value transactions., Audit and restrict ticket-transfer functionalities to prevent bulk or suspicious forwards., Implement behavioral analytics to detect anomalous ticket-sharing patterns (e.g., rapid transfers to new accounts)., Improved defensive measures against cyberattacks and Educate users on password hygiene and risks of credential reuse via in-app prompts and email campaigns..

Most Recent Source: The most recent source of information about an incident are SOAX, Binary Defense Threat Report, U.S. Federal Trade Commission (FTC) Report on Fraud Losses, Reddit (r/baseball), Sportico and SOAX Study.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.sportico.com/leagues/baseball/2024/mlb-ballpark-app-ticket-theft-12346789, https://www.reddit.com/r/baseball/comments/xyz123/mlb_ballpark_app_tickets_disappearing/, https://www.ftc.gov/news-events/news/press-releases/2024/02/new-ftc-data-show-consumers-reported-losing-more-10-billion-fraud-2023, https://www.binarydefense.com/credential-stuffing-attacks-up-24-in-2024/ .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (MLB mitigating issue; litigation pending).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was MLB urged fans to update passwords and enable MFA where available., .

Most Recent Customer Advisory: The most recent customer advisory issued was an In-app notifications and email alerts sent to users about account security.

Most Recent Entry Point: The most recent entry point used by an initial access broker was an Credential Stuffing (using leaked passwords from other breaches).

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Unknown (Likely ongoing; exploit accelerated in early September 2024).