Ticketmaster fined £1.25 million for 2018 data breach

The incident affected 9.4 million customers and led to at least 60,000 instances of fraud

The Information Commissioner’s Office (ICO) has fined Ticketmaster £1.25 million for failing to provide adequate protection for user data.

Ticketmaster violated the General Data Protection Regulation (GDPR) by failing to put in place adequate security measures to prevent a cyber attack on a chatbot installed on its online payments page in 2018.

This resulted in a data breach thought to have affected up to 9.4 million customers across Europe, and 1.5 million in the UK, with hackers stealing names, payments card numbers, expiry dates, and CVV security numbers.

Investigators found that, as a direct result of the breach, 60,000 payment cards belonging to Barclays Bank customers were subject to identity fraud. This is in addition to a further 6,000 cards belonging to Monzo Bank customers that were replaced following suspected fraudulent use.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” the ICO’s deputy commissioner James Dipple-Johnstone said.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25 milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The breach began in February 2018, with customers reporting instances of fraud to their banks, including Monzo Bank, Barclaycard, and Mastercard. These concerns were forwarded to Ticketmaster, but it was nine weeks before the firm began monitoring network traffic through its online payments page, according to the ICO.

The chatbot, through which hackers accessed customer details, was eventually removed on 23 June 2018, only weeks after GDPR came into force. It was because of this move that the ICO decided to sanction Ticketmaster under the terms of GDPR rather than the previous Data Protection Act 1998, the latter of which set maximum possible fines at £500,000.

The ICO initially issued a notice of intent to fine Ticketmaster £1.5 million in February this year, which has been reduced slightly when taking into account Ticketmaster’s response, as well as the economic effects of COVID-19.

Related Resource

2020 Cyber Threat Intelligence (CTI) survey

How to measure the effectiveness of your CTI programme

Download now

The fine has been issued days after the ICO formally levied fines against both BA and Marriott for their own data breaches. These fines, however, were dramatically reduced from the initial figures set out in the ICO’s initial notices of intent to fine.

BA saw its £183 million fine for GDPR violations reduced to just £20 million, while Marriott escaped a £99 million fine and will now only be expected to pay £18.4 million. These decisions were largely influenced by the effects of COVID-19.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Monero miners target cloud-native development environments
cryptocurrencies

Monero miners target cloud-native development environments

5 Mar 2021
Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

5 Mar 2021
High-risk email security threats increased by 32% last year
phishing

High-risk email security threats increased by 32% last year

3 Mar 2021
Malicious ‘dependency confusion’ packages are stealing password files
hacking

Malicious ‘dependency confusion’ packages are stealing password files

2 Mar 2021

Most Popular

Star Alliance passenger data stolen in SITA data breach
data breaches

Star Alliance passenger data stolen in SITA data breach

5 Mar 2021
I went shopping at Amazon’s till-less supermarket so that you don’t have to
automation

I went shopping at Amazon’s till-less supermarket so that you don’t have to

5 Mar 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021