ICO fines Ticketmaster UK Limited £1.25million for failing to protect customers’ payment details

13 Nov 2020 11:25 AM

The Information Commissioner’s Office (ICO) has fined Ticketmaster UK Limited £1.25million for failing to keep its customers’ personal data secure.

The ICO found that the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.

Ticketmaster’s failure to protect customer information is a breach of the General Data Protection Regulation (GDPR).

The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4million of Ticketmaster’s customers across Europe including 1.5million in the UK.

Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.

The ICO found that Ticketmaster failed to:

• Assess the risks of using a chat-bot on its payment page
• Identify and implement appropriate security measures to negate the risks
• Identify the source of suggested fraudulent activity in a timely manner

James Dipple-Johnstone, Deputy Commissioner said:

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The breach began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the company failed to identify the problem.

In total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.

The ICO’s investigation found that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details.

Although the breach began in February 2018, the penalty only relates to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect. The chat-bot was completely removed from Ticketmaster UK Limited’s website on 23 June 2018.

The breach occurred before the UK left the EU, therefore the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

Notes to Editors

1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.
4. The GDPR sets out six basic principles organisations must comply with in processing personal data. These are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; security; accountability. This penalty deals with failures by Ticketmaster UK Limited regarding the security principle.
5. On 7 February 2020, the ICO issued Ticketmaster UK Limited with a notice of intent to fine and received written representations in response. As part of the regulatory process the ICO considered these and the economic impact of COVID-19 before setting the final penalty.
6. The ICO applied the legislative framework in conjunction with the ICO’s Regulatory Action Policy (RAP), which states that "before issuing fines we take into account economic impact and affordability". The RAP is currently under review as part of the ICO’s consultation on its Statutory Guidance.
7. Where, as here, the processing in issue is cross-border, Article 56 of the GDPR makes provision for the designation of a lead supervisory authority. In this case, the ICO acted as the lead supervisory authority.
8. The ICO completed the Article 60 process prior to the issuing of the penalty. Article 60 of the GDPR provides that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. This includes submitting a draft decision to the other supervisory authorities concerned for their opinion and taking due account of their views.
9. Any monetary penalty is paid into the Consolidated Fund, which is the Government’s general bank account at the Bank of England, and is not kept by the ICO.
10. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.