Ticketmaster has been issued a £1.2 million fine by the UK's Information Commissioner's Office (ICO) after it failed to properly protect its customers' data during a breach that occurred over two years ago.
The fine was issued after the company was found to be in breach of the EU's General Data Protection Regulation (GDPR) – for failing to implement appropriate security on a chatbot that appeared on its payment page.
The cyberattack was found to be subject to substantial fines due to the fact that the data protection legislation came into effect on May 25 of the same year.
The severe data breach, which affected up to 9.4m Ticketmaster customers in Europe – 1.5m of them from the UK – resulted in hackers stealing highly sensitive personal information including names, credit and debit card numbers, expiry dates, and the CVV numbers from the back of those cards.
This data could be used to engage in fraud and secondary attacks such as phishing and ID fraud. and, following the cyberattack, 60,000 Barclays Bank customers are thought to have become victims of fraud.
The massive cyberattack was first noticed by Monzo customers back in February 2018. At that time, consumers began reporting fraudulent transaction in their accounts.
Following those reports, the Commonwealth Bank of Australia, Barclaycard, American Express, and Mastercard all reported signs of fraudulent activity to the American ticket sales and distribution company. Despite this, the company failed to act.
Keller Lenkner UK, the law firm currently in the advanced stages of a High Court action against Ticketmaster on behalf of the thousands of UK consumers affected by the breach told ProPrivacy.com.
The breach has been identified as being caused by a third-party chat bot facility used on its payments page. While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken exposing an estimated 1.5 million UK customers - details included bank information.
According to the ICO, Ticketmaster has been issued the fine for failing to:
- Assess the risks of using a chat-bot on its payment page
- Identify and implement appropriate security measures to negate the risks
- Identify the source of suggested fraudulent activity in a timely manner
James Dipple-Johnstone, deputy commissioner at the ICO, commented:
Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
Kingsley Hayes, head of data breach and cybercrime at Keller Lenkner UK, was quick to point out that the fine received by Ticketmaster is comparatively low:
This has been long awaited following Ticketmaster’s data breach which started in February 2018 and continued for several months. While this is a significant financial penalty, we should note it that the ICO has to take the economic impact of the pandemic into consideration therefore, Ticketmaster's fine today is significantly less than it would have been in ordinary circumstances.
Keller Lenkner will now push on with its legal action against Ticketmaster, in the hopes of winning damages for thousands of Brits affected by the cyberattack.
Keller Lenkner UK is currently at an advanced stage of a High Court action against Ticketmaster on behalf of thousands of affected customers with the effects of the breach causing actual, and potential, financial harm and psychological damage.