ICO fines Ticketmaster UK £1.25million for data breach

The ICO has fined Ticketmaster UK £1.25million for failing to keep its customers’ personal data secure.

What was the data breach?

Ticketmaster sell event tickets on behalf of clients. The breach began in February 2018. Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. 

It took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page. 

ICO investigation

The ICO found Ticketmaster’s chat-bot, hosted by a third party and present on its online payment page, allowed an attacker to access customers’ financial details.

Investigators found that 60,000 Barclays Bank customer cards had been subject to fraud due to the breach. 6,000 Monzo Bank cards were also replaced after suspected fraudulent use.

Ticketmaster received approximately 997 complaints alleging financial loss and/or emotional distress. Ticketmaster removed the chat-bot from its website on 23 June 2018 and informed all potentially impacted customers of the breach on 28 June 2018.

The breach potentially affected 9.4million European Ticketmaster customers including 1.5million UK customers. The breach concerned customers’:

• Names 
• Payment card numbers and expiry dates and 
• CVV numbers.

ICO fine

The ICO found that Ticketmaster failed to protect customer information, in breach of the GDPR. Ticketmaster had failed to:

• Assess the risks of using a chat-bot on its payment page
• Identify and implement appropriate security measures to negate the risks and
• Identify the source of suggested fraudulent activity in a timely manner 

The ICO assessed the penalty from 25 May 2018 (when the GDPR came into effect). It fined Ticketmaster £1.25million. This was slightly down from the original notice of intent of £1.5million, mainly due to Covid-19’s impact on Ticketmaster.

Comment

The ICO has issued another fine of over £1million for a security data breach. It follows the ICO’s fine to British Airways of £20million and Marriott International of £18.4million and shows the ICO takes failures to safeguard personal data very seriously. The ICO commented: 

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

Ticketmaster delayed responding to the breach once alerted. Although the chat-bot was provided by a third party, Ticketmaster (as the data controller) were still deemed not to meet their responsibilities. It is important that organisations implement a rapid and robust response plan for potential breaches.