Ticketmaster fined £1.25 million for 2018 data breach

The Information Commissioner’s Office (ICO) has fined Ticketmaster £1.25 million for failing to provide adequate protection for user data.

Ticketmaster violated the General Data Protection Regulation (GDPR) by failing to put in place adequate security measures to prevent a cyber attack on a chatbot installed on its online payments page in 2018.

This resulted in a data breach thought to have affected up to 9.4 million customers across Europe, and 1.5 million in the UK, with hackers stealing names, payments card numbers, expiry dates, and CVV security numbers.

Investigators found that, as a direct result of the breach, 60,000 payment cards belonging to Barclays Bank customers were subject to identity fraud. This is in addition to a further 6,000 cards belonging to Monzo Bank customers that were replaced following suspected fraudulent use.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” the ICO’s deputy commissioner James Dipple-Johnstone said.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25 milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The breach began in February 2018, with customers reporting instances of fraud to their banks, including Monzo Bank, Barclaycard, and Mastercard. These concerns were forwarded to Ticketmaster, but it was nine weeks before the firm began monitoring network traffic through its online payments page, according to the ICO.

The chatbot, through which hackers accessed customer details, was eventually removed on 23 June 2018, only weeks after GDPR came into force. It was because of this move that the ICO decided to sanction Ticketmaster under the terms of GDPR rather than the previous Data Protection Act 1998, the latter of which set maximum possible fines at £500,000.

The ICO initially issued a notice of intent to fine Ticketmaster £1.5 million in February this year, which has been reduced slightly when taking into account Ticketmaster’s response, as well as the economic effects of COVID-19.

The fine has been issued days after the ICO formally levied fines against both BA and Marriott for their own data breaches. These fines, however, were dramatically reduced from the initial figures set out in the ICO’s initial notices of intent to fine.

BA saw its £183 million fine for GDPR violations reduced to just £20 million, while Marriott escaped a £99 million fine and will now only be expected to pay £18.4 million. These decisions were largely influenced by the effects of COVID-19.