Ticketmaster fined £1.25 million for 2018 data breach

The incident affected 9.4 million customers and led to at least 60,000 instances of fraud

The Information Commissioner’s Office (ICO) has fined Ticketmaster £1.25 million for failing to provide adequate protection for user data.

Ticketmaster violated the General Data Protection Regulation (GDPR) by failing to put in place adequate security measures to prevent a cyber attack on a chatbot installed on its online payments page in 2018.

This resulted in a data breach thought to have affected up to 9.4 million customers across Europe, and 1.5 million in the UK, with hackers stealing names, payments card numbers, expiry dates, and CVV security numbers.

Investigators found that, as a direct result of the breach, 60,000 payment cards belonging to Barclays Bank customers were subject to identity fraud. This is in addition to a further 6,000 cards belonging to Monzo Bank customers that were replaced following suspected fraudulent use.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” the ICO’s deputy commissioner James Dipple-Johnstone said.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25 milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The breach began in February 2018, with customers reporting instances of fraud to their banks, including Monzo Bank, Barclaycard, and Mastercard. These concerns were forwarded to Ticketmaster, but it was nine weeks before the firm began monitoring network traffic through its online payments page, according to the ICO.

The chatbot, through which hackers accessed customer details, was eventually removed on 23 June 2018, only weeks after GDPR came into force. It was because of this move that the ICO decided to sanction Ticketmaster under the terms of GDPR rather than the previous Data Protection Act 1998, the latter of which set maximum possible fines at £500,000.

The ICO initially issued a notice of intent to fine Ticketmaster £1.5 million in February this year, which has been reduced slightly when taking into account Ticketmaster’s response, as well as the economic effects of COVID-19.

Related Resource

2020 Cyber Threat Intelligence (CTI) survey

How to measure the effectiveness of your CTI programme

Download now

The fine has been issued days after the ICO formally levied fines against both BA and Marriott for their own data breaches. These fines, however, were dramatically reduced from the initial figures set out in the ICO’s initial notices of intent to fine.

BA saw its £183 million fine for GDPR violations reduced to just £20 million, while Marriott escaped a £99 million fine and will now only be expected to pay £18.4 million. These decisions were largely influenced by the effects of COVID-19.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021
Capcom data breach adds another 40,000 estimated victims
data breaches

Capcom data breach adds another 40,000 estimated victims

13 Jan 2021
Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
The fate of Parler exposes the reality of deregulated social media
Policy & legislation

The fate of Parler exposes the reality of deregulated social media

14 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021