Ticketmaster has been fined £1.25m by the UK’s Information Commissioner’s Office (ICO) over a 2018 data breach.
Announced on Friday, the privacy watchdog said that Ticketmaster had failed to protect customers’ payment details with appropriate security measures after attackers were able to exploit a vulnerability in a chatbot, hosted by a third party, on the company’s online payment page.
This led to a data breach affecting the included names, payment card numbers, expiry dates and CVV numbers, potentially impacting 9.4 million of Ticketmaster’s customers across Europe including 1.5 million in the UK.
As a result, 60,000 payment cards belonging to Barclays Bank customers had been subjected to fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected they had been used fraudulently.
It took the ticket company nine weeks to take action after being alerted to the potential fraud.
Ticketmaster was found to be in breach of the General Data Protection Regulation (GDPR). The breach began in February 2018 but the fine only related to the period after 25 May 2018 when GDPR came into force. The chatbot was removed in June 2018.
James Dipple-Johnstone, ICO Deputy Commissioner, said that the fine “will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda”.
Ticketmaster said it would appeal the decision.
This follows a difficult period for the entertainment industry, as the Covid-19 pandemic has meant countless events have been cancelled. Live Nation Entertainment, which was formed after Live Nation and Ticketmaster merged in 2009, reported a 98% year on year fall in revenue in Q2 of 2020.
Miles Tappin, VP of EMEA at ThreatConnect said:
“The true impact of the 2018 Ticketmaster data breach has finally been revealed, with over nine million customers having their personal details stolen. Organisations must learn from this and act quickly to ensure their customer data remains secure in the long term.
“Not doing the basics leaves the door open for cybercriminals. Organisations must understand the importance of fostering a culture of security to make better decisions and mitigate increasingly sophisticated and complex cyber threats. It’s vital that organisations begin to quantify the risks available to them, asking themselves how likely am I going to get attacked and how damaging will it be to their overall infrastructure. Organisations will then be able to prioritise how best to protect their customers, helping security teams focus on the most important tasks at hand.”