Ticketmaster UK has been fined £1.25 million after it suffered a massive data breach that exposed customers’ payment card details.
The ICO (Information Commissioner’s Office) levied the fine following an investigation into the incident, which was disclosed in June 2018.
It found that Ticketmaster failed to implement appropriate security measures on a chatbot on its online payment page, which was exploited by cyber criminals to steal customers’ sensitive information.
The error violates the GDPR (General Data Protection Regulation), which gives the ICO the power to issue fines of up to €20 million (about £18 million) or 4% of an organisation’s annual global turnover.
Up to 9.4 million people were potentially affected, including more than 1 million in the UK.
Investigators found that 60,000 payment cards belonging to Barclays Bank customers had been used fraudulently, and another 6,000 cards were replaced by Monzo Bank after it suspected fraud.
What went wrong?
In June 2018, Ticketmaster notified the users of its UK site that their personal information had been exposed in a malware attack.
It later confirmed that the perpetrators were Magecart, a criminal hacking group that injects payment skimmers into vulnerable website components – in this case Ticketmaster’s chatbot.
Ticketmaster initially blamed Inbenta Technologies, which developed the chatbot, for the breach. However, Inbenta clarified that
Inbenta added that Ticketmaster applied the script to its payments page without notifying its team.
“Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability,” the organisation said.
The error has proved extremely costly for Ticketmaster, but that wasn’t the only issue that the ICO reviewed.
In its penalty notice, the data protection watchdog highlighted Ticketmaster’s inability to detect the source of the fraud promptly.
Customers first reported suspicious transactions in February 2018, but it took Ticketmaster nine weeks to start monitoring the network traffic through its online payment page.
James Dipple-Johnstone, the ICO’s deputy commissioner, said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”