
The information displayed in the AIM should not be reported as representing the official views of the OECD or of its member countries.
Security researcher Ian Carroll used Anthropic's AI model Claude Opus 4.7 to bypass security measures and exploit a critical vulnerability in Front Gate Tickets, a platform handling ticketing for major US music festivals. The AI-enabled attack exposed millions of records and allowed unauthorized ticket issuance before the flaw was patched.[AI generated]
Why's our monitor labelling this an incident or hazard?
The event involves the use of an AI system (Claude Opus 4.7) to perform hacking activities that uncovered a critical security vulnerability in a ticketing platform. The AI system's involvement was instrumental in bypassing security controls and gaining unauthorized access. The vulnerability could have led to significant harm, including unauthorized ticket issuance (harm to property and economic harm), exposure of personal data (privacy violation), and disruption of ticketing services (harm to communities). Although no malicious exploitation occurred, the AI system's role was pivotal in enabling the discovery of the flaw, which constitutes an AI Incident under the framework. The responsible disclosure and patching do not negate the fact that harm could have occurred and that the AI system was directly involved in the incident.[AI generated]