ICO fines Ticketmaster for GDPR breach

The ICO found that Ticketmaster had breached the General Data Protection Regulation (GDPR) by failing to put appropriate security measures in place to prevent a cyber-attack on a chat bot on the online payment page of the company’s website in 2018.

The resulting data breach included names, payment card numbers, expiry dates and card verification value (CVV) number, and potentially affected 9.4 million customers, including 1.5 million people in the UK.

The breach led to frauds on 60,000 payment cards belonging to Barclays Bank customers. Monzo Bank also replaced 6,000 cards due to suspected fraudulent use.

The cyber-attack began in February 2018, but the fine issued related to the period between the introduction of the GDPR on 25th May 2018 and the removal of the chat bot on 23rd June 2018.

The issue was raised with Ticketmaster by several banks, said the ICO, but the company took nine weeks in total to identify the issue.

The ICO found that Ticketmaster had failed to properly assess the risks of using the chat bot on its payment page, and had not identified and implemented appropriate security measures to reduced those risks.

The company also failed to identify the source of the fraudulent activity in a timely manner, according to the ICO.

James Dipple-Johnstone, deputy commissioner of the ICO, said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”

A spokesperson for Ticketmaster said the company “takes fans’ data privacy and trust very seriously” and that the company planned to appeal the ICO’s ruling.