IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ticketmaster fined £1.25 million for 2018 data breach

The incident affected 9.4 million customers and led to at least 60,000 instances of fraud

The Information Commissioner’s Office (ICO) has fined Ticketmaster £1.25 million for failing to provide adequate protection for user data.

Ticketmaster violated the General Data Protection Regulation (GDPR) by failing to put in place adequate security measures to prevent a cyber attack on a chatbot installed on its online payments page in 2018.

This resulted in a data breach thought to have affected up to 9.4 million customers across Europe, and 1.5 million in the UK, with hackers stealing names, payments card numbers, expiry dates, and CVV security numbers.

Investigators found that, as a direct result of the breach, 60,000 payment cards belonging to Barclays Bank customers were subject to identity fraud. This is in addition to a further 6,000 cards belonging to Monzo Bank customers that were replaced following suspected fraudulent use.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” the ICO’s deputy commissioner James Dipple-Johnstone said.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25 milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The breach began in February 2018, with customers reporting instances of fraud to their banks, including Monzo Bank, Barclaycard, and Mastercard. These concerns were forwarded to Ticketmaster, but it was nine weeks before the firm began monitoring network traffic through its online payments page, according to the ICO.

The chatbot, through which hackers accessed customer details, was eventually removed on 23 June 2018, only weeks after GDPR came into force. It was because of this move that the ICO decided to sanction Ticketmaster under the terms of GDPR rather than the previous Data Protection Act 1998, the latter of which set maximum possible fines at £500,000.

The ICO initially issued a notice of intent to fine Ticketmaster £1.5 million in February this year, which has been reduced slightly when taking into account Ticketmaster’s response, as well as the economic effects of COVID-19.

Related Resource

2020 Cyber Threat Intelligence (CTI) survey

How to measure the effectiveness of your CTI programme

Download now

The fine has been issued days after the ICO formally levied fines against both BA and Marriott for their own data breaches. These fines, however, were dramatically reduced from the initial figures set out in the ICO’s initial notices of intent to fine.

BA saw its £183 million fine for GDPR violations reduced to just £20 million, while Marriott escaped a £99 million fine and will now only be expected to pay £18.4 million. These decisions were largely influenced by the effects of COVID-19.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Xerox CEO John Visentin dies unexpectedly aged 59
Careers & training

Xerox CEO John Visentin dies unexpectedly aged 59

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022