On November 13, 2020, the UK Information Commissioner’s Office (“ICO”) fined Ticketmaster UK Limited (“Ticketmaster”) £ 1.25 million for failing to keep its customers’ personal information secure. The ICO determined that Ticketmaster had not taken appropriate security measures to prevent a cyber attack, which violated the requirements of Article 5 (1) (f) and Article 32 of the EU General Data Protection Regulation (“GDPR”). The ICO acted as lead supervisory authority in relation to the cross-border processing affected by this breach and the penalty was approved by the other EU data protection authorities as part of the GDPR collaborative process. Ticketmaster has announced that it will appeal the fine.
Ticketmaster’s breach started in February 2018 when malicious code was injected into a chatbot on Ticketmaster’s payment page (although the penalty relates to the breach of May 25, 2018, when GDPR went into effect). The malicious code enabled the attacker to collect payment data entered by Ticketmaster users. The incident ended in June 2018 when the chatbot was disabled. The ICO was notified of the breach on June 23, 2018, and affected individuals were notified on June 28.
The breach revealed customers’ names, bank account details and payment card information, which may have affected 9.4 million people in the EEA, including 1.5 million in the UK. According to the criminal complaint, around 60,000 payment cards belonging to Barclays Bank customers were compromised as a result of the breach, while Monzo Bank replaced 6,000 cards on suspected fraud. Ticketmaster also received nearly 1,000 complaints related to the violation that resulted from financial loss or emotional distress.
Ticketmaster also took no steps to check the chatbot, even after being made aware of the malicious code by a Twitter user. It was also found that the intervals between the regular security checks performed by Ticketmaster were too long and that the problem with the chatbot was not detected quickly enough after Ticketmaster was informed of possible fraud. Ticketmaster did not begin monitoring network traffic through its online payments page until nine weeks after being notified of possible fraud.
When calculating the fine, the ICO first found that Ticketmaster had not made any financial gain due to the violation. The factors listed in Article 83 (2) (a) of the GDPR were then taken into account, taking into account the number of data subjects, the “insufficient consideration” proven by Ticketmaster with regard to the protection of personal data and its negligence in assuming that Inbenta made them available reasonable security of payment card information and Ticketmaster non-compliance with industry standards that would have reduced the risk of an attack.
To mitigate the damage, the ICO found that Ticketmaster created a website to provide information about the breach, initiated 12 months of credit monitoring for affected individuals, and enforced password resets in all domains. The ICO noted that Ticketmaster incurred significant costs associated with the breach.
The fine originally proposed by the ICO in its MoU issued on February 7, 2020 was £ 1.5 million. This has been corrected downwards, taking into account the impact of the COVID-19 pandemic on Ticketmaster’s business, as Ticketmaster’s business is based on live spots, music and entertainment events.
Check out the ICO’s criminal complaint.