A 2018 Ticketmaster data breach has resulted in a £1.25 million fine from the Information Commissioner’s Office (ICO). Personal and payment information was accessed in the breach, which may have involved as many as 9.4 million customers in Europe and more than a million in the UK.
Ticketmaster says it plans to appeal the ruling.
“Ticketmaster takes fans’ data privacy and trust very seriously,” the company said in a statement. “Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.”
After investigation, it was found that Inbenta, third-party chat system, was exploited by a cyber-attacker to gain access to the Live Nation Entertainment-owned ticketing giant’s system. The ICO says that the Ticketmaster data breach had triggered warnings from several payment processing partners. Monzo Bank, The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express had all reported suggestions of fraud beginning in February of 2018 to Ticketmaster, but it was nine weeks before the company began monitoring activity on its payment page.
The ICO found at least 66,000 instances of fraud or cards replaced for suspected fraud as a result of the Ticketmaster data breach. Data accessed included names, payment card numbers, expiration dates and CVV numbers.
In its findings, the investigator found that Ticketmaster had failed to:
- Assess the risks of using a chat-bot on its payment page
- Identify and implement appropriate security measures to negate the risks
- Identify the source of suggested fraudulent activity in a timely manner.
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” says James Dipple-Johnstone, ICO Deputy Commissioner. “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
The Ticketmaster data breach was believed to be one of the first major discovered violations of the EU’s General Data Protection Regulation (GDPR), which can penalize companies steeply for privacy violations involving consumers in the European Union. That rule went into effect in May of 2018, meaning that the first span of the incident was not actually covered by GDPR regulations. The chatbot was removed from the payment page on the company’s website in June 2018.