Ticketmaster UK fined £1.25m for failing to keep its customers’ personal data secure

Kalila Sangster
·3 min read
"Los Angeles, CA, USA - November 5, 2012: Music concert show event tIckets for Los Angeles area performances."
The inclusion of a chat-bot on Ticketmaster’s online payment page allowed an attacker access to customers’ financial details, the ICO investigation found. Photo: Getty

Ticketmaster UK has been fined £1.25m ($1.6m) by the Information Commissioner's Office (ICO) for failing to keep its customers’ personal data secure.

The ICO found that the ticket sales and distribution company did not place appropriate security measures for the prevention of cyber-attack on a chat-bot installed on its online payment page — amounting to a breach of the General Data Protection Regulation (GDPR).

The inclusion of the chat-bot, hosted by a third party Inbenta Technologies, on Ticketmaster’s online payment page enabled an attacker to access customers’ financial details, the ICO investigation found.

The data breach included names, payment card numbers, expiry dates and CVV numbers.

Some 9.4 million customers across Europe, including 1.5 million in the UK, were potentially affected.

Watch: Ticketmaster could check the COVID status of concert attendees

READ MORE: ICO fines Marriott £18.4m over customer data breach

The data breach has caused 60,000 payment cards belonging to Barclays Bank customers to be exposed to known fraud. Monzo Bank had to reissue 6,000 cards due to suspected fraudulent use after the breach.

The security issue began in February 2018 when Monzo Bank customers reported fraudulent transactions.

Ticketmaster failed to identify the problem despite further reports of fraud from the Commonwealth Bank of Australia, Barclaycard, Mastercard (MA), and American Express (AXP).

Ticketmaster only began to monitor the network traffic through its online payment page nine weeks after being made aware of possible fraud, according to the ICO.

The investigation found that Ticketmaster failed to assess the risks of using a chat-bot on its payment page, identify and implement appropriate security measures to negate the risks, and identify the source of suggested fraudulent activity in a timely manner.

READ MORE: Goldman Sachs appoints more women and ethnic minority partners

The chat-bot was completely removed from Ticketmaster UK Limited’s website on 23 June 2018, four months after the fraud was first reported.

Although the breach began in February 2018, the fine only relates to the issue from 25 May 2018, when new GDPR rules came into effect in the UK.

James Dipple-Johnstone, deputy commissioner of the ICO said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

“The £1.25m fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

A Ticketmaster spokesperson said: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal today’s announcement.”

Watch: Why tax rises may be inevitable in Britain