Ticketmaster GDPR Breach Results in £1.25m Penalty

In the United Kingdom the Information Commissioner’s Office (ICO) has sanctioned a General Data Protection Regulation (GDPR) penalty of £1.25million against  Ticketmaster UK Limited due shortcomings in the group’s legal obligation to safely manage customers’ private data.

In it’s official ruling, the ICO found that Ticketmaster did establish appropriate security measures to prevent hacking taking place via a chat-bot installed using its online payment portal.  The data breach, which incorporated names, payment card details, expiration dates and CVV information, may have impacted up to 9.4million of Ticketmaster’s customers across Europe including 1.5million in the United Kingdom.

Investigators discovered that, due to the breach, 60,000 payment cards owned by Barclays Bank customers had been impact by fraud. Another 6,000 cards were rendered unusable by Monzo Bank as a response to the suspected breach.

James Dipple-Johnstone, Deputy Commissioner at ICO commented on the breach saying: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The ICO found that Ticketmaster did not:

  • Identify the dangers of implementing a chat-bot on its payment website
  • Create appropriate security processes to address the threat of cyber attacks infiltrating their databases
  • Swiftly identify and address all fraudulent activity on their websites

You can read the full ruling here.

The breach began at some point during February 2018 when Monzo Bank customers submitted complaints linked to fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all registered additional reports of incidents of cybercrime possibly targeting Ticketmaster. However, Ticketmaster failed o react to these reports. In fact, there was a nine-week delay from the discovery of the breach to Ticketmaster until the company began to review network traffic through its online payment website.

The official review conducted by ICO found that that the installation of the chat-bot, via a third party, on its online payment portal allowed a hacker to access to customers’ financial details. As GDPR was only enforceable from may 25 2018 the GDPR penalty in this instance is only being applied for what took place after that date.

Ticketmaster UK Limited deleted the chat bot from its payment portal on June 23 2018.