On November 13, 2020, the UK Information Commissioner’s Office (“ICO”) fined Ticketmaster UK Limited (“Ticketmaster”) £1.25 million for failing to keep its customers’ personal data secure. The ICO found that Ticketmaster had failed to implement appropriate security measures to prevent a cyber attack, breaching the requirements of Articles 5(1)(f) and 32 of the EU General Data Protection Regulation (“GDPR”). The ICO acted as the lead supervisory authority with regard to the cross-border processing affected by this breach, and the penalty has been approved by the other EU data protection authorities through the GDPR’s cooperation process. Ticketmaster has indicated that it will appeal the fine.
Ticketmaster’s breach started in February 2018 when malicious code was injected into a chatbot included on Ticketmaster’s payment page (though the penalty relates to the breach from May 25, 2018, when the GDPR came into effect). The malicious code allowed the attacker to harvest payment data inputted by Ticketmaster users. The incident came to an end in June 2018 when the chatbot was disabled. The ICO was notified of the breach on June 23, 2018, and affected individuals were notified on June 28.
The breach exposed customers’ names, account details and payment card information, potentially affecting 9.4 million individuals in the EEA, including 1.5 million in the UK. The Penalty Notice indicates that approximately 60,000 payment cards of Barclays Bank customers were compromised as a result of the breach, while Monzo Bank replaced 6,000 cards on the basis of suspected fraud. Ticketmaster also received almost 1,000 complaints relating to the breach that alleged financial loss or emotional distress.
According to the ICO, Tickemaster “failed to implement a layered approach to security,” which would have been appropriate under the circumstances. For example, the chatbot used third-party Javascript, which, according to the ICO, is a known security risk, particularly where the chatbot is implemented on web pages that process personal data. The ICO also stated that Ticketmaster should have been aware of the risk of a “supply chain attack,” (i.e., an attack targeted at a third-party organization supplying services to a primary organization) which in this case was Inbenta, the provider of the chatbot. The ICO stated that Ticketmaster should have risk-assessed the implementation of third-party scripts, and was unable to show threat analysis documentation or demonstrate that it had considered the risks.
Ticketmaster also did not take steps to verify the chatbot even after being alerted to the malicious code by a Twitter user. In addition, the intervals between periodic security vetting conducted by Ticketmaster were found to be too long, and the issue with the chatbot not detected quickly enough after Ticketmaster was notified of possible fraud. Ticketmaster did not start monitoring the network traffic through its online payment page until nine weeks after being alerted to possible fraud.
In calculating the fine, the ICO first established that there was no financial gain to Ticketmaster as a result of the breach. It then considered the factors listed under Article 83(2)(a) of the GDPR, noting the number of individuals affected, the “lack of consideration” demonstrated by Ticketmaster with regards to protecting personal data and its negligence in assuming that Inbenta could provide adequate security with respect to payment card data, and Ticketmaster’s failure to follow industry standards that would have mitigated the risk of attack.
In mitigation, the ICO noted that Ticketmaster created a website to provide information about the breach and arranged for 12 months of credit monitoring for affected individuals, as well as forcing password resets across all of its domains. The ICO commented that Ticketmaster incurred considerable costs relating to the breach.
The fine initially proposed by the ICO in its notice of intent to fine, issued on February 7, 2020, was £1.5 million. This was revised downwards taking into account the impact of the COVID-19 pandemic on Ticketmaster’s business, considering that Ticketmaster’s business relies on live spots, music and entertainment events.
View the penalty notice issued by the ICO.