Ticketmaster UK has been fined £1.25m by the Information Commissioner’s Office (ICO) following a data breach that left its customers’ personal details open to attack.
The online ticket marketplace suffered a major cyberattack in February 2018 which saw 9.4m customers across Europe, including 1.5million in the UK, affected.
The ICO has ruled that Ticketmaster UK failed to keep its customers’ personal data secure, and the company’s security failings constituted a breach of GDPR.
The breached data included names, payment card numbers, expiry dates and CVV numbers, meaning customers could have potentially lost out from their personal savings and accounts. 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud since the attack, and another 6,000 cards had to be replaced by Monzo Bank after it suspected fraudulent use.
The ICO says its investigation found Ticketmaster UK failed to put appropriate security measures in place to prevent a cyberattack on a chatbot installed on its online payment page.
The company also failed to identify and implement appropriate security measures to negate the risks, and identify the source of suggested fraudulent activity in a timely manner, taking nine weeks after originally being alerted to start monitoring suspect traffic.
The affected chatbot was only removed from Ticketmaster UK’s website on 23 June 2018, opening up even more customers to attack.
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” ICO deputy commissioner James Dipple-Johnstone said.
“Ticketmaster should have done more to reduce the risk of a cyber-attack. It’s failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
Ticketmaster could have faced an even higher fine had the breach occured several months later, as the ICO noted that its penalty only related to activity after May 25 2018, the date when GDPR became law.