Ticketmaster fined £1.25m over data breach
The Information Commissioner’s Office (ICO) found Ticketmaster failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.
Its investigation found that the breach began in February 2018 when Monzo Bank customers reported fraudulent transactions.
This was followed by reports from Barclaycard, Mastercard and American Express which suggested the fraud was related to Ticketmaster.
However, the ICO said Ticketmaster failed to identify the problem, taking nine weeks from being alerted to possible fraud to monitoring the activity.
It was later revealed that Ticketmaster’s decision to include a chat-bot hosted by a third party on its online payment page allowed an attacker to access customers’ financial details.
Names, payment card numbers, expiry dates and CVV numbers of up to 9.4 million customers across Europe, including 1.5 million in the UK were potentially exposed.
It resulted in 60,000 payment cards belonging to Barclays Bank customers being subject to fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.
The ICO said Ticketmaster failed to assess the risks of using a chat-bot on its payment page; identify and implement appropriate security measures and identify the source of suspected fraudulent activity in a timely manner.
As such, it breached the General Data Protection Regulations (GDPR).
James Dipple-Johnstone, deputy commissioner at the ICO, said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
“Ticketmaster should have done more to reduce the risk of a cyber-attack. It’s failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
The Ticketmaster chat-bot was completely removed from its website on 23 June 2018.
A Ticketmaster spokesperson, said: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full co-operation to the ICO. We plan to appeal today’s announcement.”