Ticketmaster fined £1.25 million for 2018 data breach

The incident affected 9.4 million customers and led to at least 60,000 instances of fraud

The Information Commissioner’s Office (ICO) has fined Ticketmaster £1.25 million for failing to provide adequate protection for user data.

Ticketmaster violated the General Data Protection Regulation (GDPR) by failing to put in place adequate security measures to prevent a cyber attack on a chatbot installed on its online payments page in 2018.

This resulted in a data breach thought to have affected up to 9.4 million customers across Europe, and 1.5 million in the UK, with hackers stealing names, payments card numbers, expiry dates, and CVV security numbers.

Investigators found that, as a direct result of the breach, 60,000 payment cards belonging to Barclays Bank customers were subject to identity fraud. This is in addition to a further 6,000 cards belonging to Monzo Bank customers that were replaced following suspected fraudulent use.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” the ICO’s deputy commissioner James Dipple-Johnstone said.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25 milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The breach began in February 2018, with customers reporting instances of fraud to their banks, including Monzo Bank, Barclaycard, and Mastercard. These concerns were forwarded to Ticketmaster, but it was nine weeks before the firm began monitoring network traffic through its online payments page, according to the ICO.

The chatbot, through which hackers accessed customer details, was eventually removed on 23 June 2018, only weeks after GDPR came into force. It was because of this move that the ICO decided to sanction Ticketmaster under the terms of GDPR rather than the previous Data Protection Act 1998, the latter of which set maximum possible fines at £500,000.

The ICO initially issued a notice of intent to fine Ticketmaster £1.5 million in February this year, which has been reduced slightly when taking into account Ticketmaster’s response, as well as the economic effects of COVID-19.

Related Resource

2020 Cyber Threat Intelligence (CTI) survey

How to measure the effectiveness of your CTI programme

Download now

The fine has been issued days after the ICO formally levied fines against both BA and Marriott for their own data breaches. These fines, however, were dramatically reduced from the initial figures set out in the ICO’s initial notices of intent to fine.

BA saw its £183 million fine for GDPR violations reduced to just £20 million, while Marriott escaped a £99 million fine and will now only be expected to pay £18.4 million. These decisions were largely influenced by the effects of COVID-19.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Putin open to handing cyber criminals over to US
hacking

Putin open to handing cyber criminals over to US

14 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021