ICO fines Ticketmaster £1.25 million for failing to protect customers

Ticketmaster UK Limited is the latest company to see monetary penalties being imposed upon it by the Information Commissioner’s Office (ICO). The major online ticket sales and distribution company has been fined £1.25 million, following a cyber attack, for its failure to protect customers’ payment details which potentially affected 9.4 million customers in Europe, including 1.5 million in the UK.

What went wrong?

In February 2018, Ticketmaster made the decision to include a chat-bot, hosted by a third party (Ibenta Technologies), on its online payment page. The inclusion of the chat-bot created a vulnerability which allowed attackers a way of being able to access customers' personal details,  including names, addresses, e-mail addresses, full credit card numbers, CVV, and Ticketmaster usernames and passwords. This occurred during the period of February 2018 to 23 June 2018 before the matter was reported to the ICO.

As the breach was prior to Brexit, the ICO opened investigations as the lead supervisory authority and found Ticketmaster to be in breach of General Data Protection Regulation (GDPR). In particular, the ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack on the chat-bot installed thereby failing to protect customers’ personal information.

The nature of Ticketmaster’s failure to protect customers arose from its delays and negligence in dealing with the breach. Firstly, Ticketmaster delayed its monitoring of the network traffic through its online payment page for nine weeks after being notified of the alleged fraudulent activity. Ticketmaster was notified by several banks, including Monzo Bank and Barclays, about the potentially fraudulent activity in early April. Despite these notifications, the company failed to monitor the network traffic until nine weeks after these notifications were made.

Secondly, Ticketmaster was negligent under the Payment Card Information Data Security Standard (PCI-DSS) to presume that, without oversight, Ibenta Technologies could provide an appropriate level of security in respect of processing card payments. Despite being notified of the potentially fraudulent activity by various banks and other parties, the company followed what had been said by Ibenta Technologies and failed to report the matter adequately. This ultimately led to the failure to completely remove the chat-bot from the website until 23 June 2018, by which point over 60,000 Barclays bank customers alone had been victims of fraud.

Level of fine

It can be argued that the level of fine set by the ICO was influenced by the dates of the breach. In taking action, the ICO recognised that new data protection rules were to come into force under GDPR on 25 May 2018. This resulted in the ICO dealing with the breach from 25 May 2018, despite notifications from various banks and other parties to Ticketmaster regarding the potentially fraudulent activity occurring in early April (if not earlier). This may not only have impacted on the level of fine imposed but also the number of customers which were potentially affected by the breach.

It is also worth noting that a reduction was awarded to Ticketmaster due to financial challenge caused by COVID-19 (reducing the fine from £1.5 million to £1.25 million) – a similar approach taken with the recent Marriott and BA fines. Although time will tell, this could indicate that going forward companies may be able to receive a reduced fine where they are able to demonstrate that they have suffered financial difficulty resulting from COVID-19.

Ticketmaster have indicated that they will appeal the decision of the ICO, and it remains to be seen whether they will follow through on this appeal.

Lessons to take from recent ICO fines

Commenting on the Ticketmaster action, James Dipple-Johnstone (Deputy Commission of the ICO) stated that: “The £1.25 million fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda”. This message is re-enforced by recent action taken by the ICO against both Marriot International and British Airways where both companies were fined for their failure to keep the personal data and financial details of their customers secure.

Going forward, companies should be proactive in their assessment of data protection compliance, in particular carrying out data protection impact assessments (or DPIAs) before implementing new products or solutions will be key in uncovering where there may be issues. As found in the Ticketmaster action, it is not enough to simply rely on third parties, rather businesses should be continually monitoring their compliance and reporting any suspicious activity to avoid action being taken against them.

How can we help?

For further information on data breaches and potential liabilities under UK data protection law, please get in touch with Val Surgenor or any member of our GDPR & Cyber Security team.

This article was co-written by Haris Saleem, Trainee Solicitor.

Latest updates from @MacRoberts

  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… https://t.co/sOwEmv13fP 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… https://t.co/0v2nNQ9zzZ 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer https://t.co/z3WEtfFJUo 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… https://t.co/CaitiMeVBs 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… https://t.co/o559McerYg 13/07/2021