Ticketmaster's data breach could be the litmus test for GDPR

Ticketmaster's data breach affecting up to 40,000 people is likely to be the first litmus test of GDPR enforcement in the UK, data protection lawyers agree.

The ticket-selling platform reported a breach last week, when it discovered a malware attack on third-party vendor Inbenta's chatbot had enabled hackers to steal names, addresses, email addresses, telephone numbers, payment card details and Ticketmaster login details.

Affecting customers buying tickets between September 2017 and 23 June 2018, the breach spans two different data protection acts: the Data Protection Act (DPA) 1998, and the Data Protection Act (DPA) 2018 - the latter being the UK's version of the EU's General Data Protection Regulation (GDPR).

This is relevant to all businesses because of the dramatically different level of fines the UK regulator can impose. The 1998 act carries a maximum fine of 500,000 - while the 2018 act means the regulator could demand up to 17 million, or 4% of an organisation's annual turnover, whichever is higher.

So what we have is a breach spanning two data protection acts, but which was reported under the new data protection act.

The Information Commissioner's Office (ICO) is still deciding which legislation is relevant, a spokesman telling IT Pro: "It's still very, very early days and we're still in the evidence gathering stage, and will assess it from there."

But speaking to data protection lawyers, it appears that either the breach will be judged under both the DPA 1998 and DPA 2018, or DPA 2018 itself.

'Continuous breach'

James Pressley, a commercial and corporate solicitor at law firm Kirwans, tells IT Pro that the breach comes under both sets of legislation, and the ICO will issue fines accordingly, if it decides they're necessary.

"There are numerous possible breaches, including unauthorised access, failure to put in place adequate technical measures to protect data, [and] under the GDPR not having sufficient internal policies, procedures and internal organisation in place and possibly failing to report a breach within sufficient time," he explains.

"Some of these could fall either side of 25 May 2018 and therefore, to my mind, would fall to be dealt with under the appropriate act depending on when they occurred."

Breaches before the 25 May, the day GDPR and the DPA 2018 came into force, would be subject to DPA 1998 and those after would be investigated under the new legislation.

"If a breach occurred after 25 May 2018 I don't see how it could be dealt with under the Data Protection Act 1998, because it was repealed at that time," he adds.

"So my argument would be that it is more likely to be a patchwork quilt of enforcement depending on the date of the breach."

The specific point of law that backs up this approach is Schedule 20 of the DPA 2018, which outlines that the repealed 1998 act still applies to breaches that "contravened the old data protection principles before" the new legislation came into force.

Solicitor and chartered engineer Dai Davis, meanwhile, contends that the entire incident should be treated as a breach under GDPR.

"If a historic breach has ceased then it's not caught by GDPR, but this is a continuous breach," he tells IT Pro. "You could argue that if it's a breach in February but it was time limited - so it was due to end on 23 June - then it wouldn't be in GDPR."

However, this constitutes a breach because it kept happening after GDPR was in force, he says. "When there's a breach of data there's a breach of data - it happens every single time the system runs," Davis explains. "The legislation says you have to design a compliant system both at the time of design and at the time of use."

If, as appears likely, the ICO decides that at least part of its investigation must be conducted under GDPR or the DPA 2018, Ticketmaster's breach will be the first test of how the ICO will enforce the legislation.

"Any enforcement action against Ticketmaster under the DPA 2018 will definitely be considered a test case by business because it is a very substantial breach and would be likely to set the tone for enforcement action to be taken by the ICO under the DPA 2018," says Pressley.

This opens up another potential breach of the new legislation - a possible delay in reporting the data breach to customers and the regulator.

Was there a notification delay?

Ticketmaster said it discovered the breach on 23 June. But it didn't communicate to customers until 27 June, four days later. Under the new legislation, companies must inform customers of a personal data breach "without undue delay". They must also inform the ICO within 72 hours. Failure to do this can result in a fine of up to 10 million or 2% of annual turnover under the GDPR.

In its email to customers, Ticketmaster told them it was working with the ICO to investigate the cyber attack, so it may have informed them within the 72-hour window (we've asked, and will update this if and when we hear back).

When IT Pro asked the ICO if it's investigating whether there was an issue of late notification, a spokesman said: "That will form part of the evidence we take in. It's a crossover of two separate bits of legislation that have some different requirements on businesses. That could have a bearing on whether it's a DPA 1998 case or a DPA 2018 case: who knew what, when."

However, Davis is sceptical that the ICO would take action even if there was a late notification. "My forecast is that [information commissioner Elizabeth Denham] has bigger fish to fry. The worst thing she will do is write them a stroppy letter."

A mitigating factor

In fact, Ticketmaster was warned about a potential breach much earlier. Fintech firm Monzo's security team spotted fraudulent activity on a number of customers' cards in April, which had all been used for Ticketmaster payments, replacing 6,000 cards and sharing its findings with the ticket seller on 12 April.

However, Ticketmaster said it found no evidence of a breach from an internal investigation it launched. But Davis believes this will stand in the company's favour when the ICO weighs up any enforcement action, even if the security team missed something, because it would show good security practice.

"If they genuinely did an investigation and didn't find any evidence that's a good mitigating factor in their defence," he says. "That's a huge mitigating factor; you can't find all the breaches all the time."

What's more, given that only 40,000 customers were affected, it's unlikely the firm will face anything like the full financial penalty possible under GDPR, which may only be used in the most egregious of data leaks.

Image: Shutterstock