Ticketmaster UK Limited is the latest company to see monetary penalties being imposed upon it by the Information Commissioner’s Office (ICO). The major online ticket sales and distribution company has been fined £1.25 million, following a cyber attack, for its failure to protect customers’ payment details which potentially affected 9.4 million customers in Europe, including 1.5 million in the UK.
What went wrong?
In February 2018, Ticketmaster made the decision to include a chat-bot, hosted by a third party (Ibenta Technologies), on its online payment page. The inclusion of the chat-bot created a vulnerability which allowed attackers a way of being able to access customers' personal details, including names, addresses, e-mail addresses, full credit card numbers, CVV, and Ticketmaster usernames and passwords. This occurred during the period of February 2018 to 23 June 2018 before the matter was reported to the ICO.
As the breach was prior to Brexit, the ICO opened investigations as the lead supervisory authority and found Ticketmaster to be in breach of General Data Protection Regulation (GDPR). In particular, the ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack on the chat-bot installed thereby failing to protect customers’ personal information.
The nature of Ticketmaster’s failure to protect customers arose from its delays and negligence in dealing with the breach. Firstly, Ticketmaster delayed its monitoring of the network traffic through its online payment page for nine weeks after being notified of the alleged fraudulent activity. Ticketmaster was notified by several banks, including Monzo Bank and Barclays, about the potentially fraudulent activity in early April. Despite these notifications, the company failed to monitor the network traffic until nine weeks after these notifications were made.
Secondly, Ticketmaster was negligent under the Payment Card Information Data Security Standard (PCI-DSS) to presume that, without oversight, Ibenta Technologies could provide an appropriate level of security in respect of processing card payments. Despite being notified of the potentially fraudulent activity by various banks and other parties, the company followed what had been said by Ibenta Technologies and failed to report the matter adequately. This ultimately led to the failure to completely remove the chat-bot from the website until 23 June 2018, by which point over 60,000 Barclays bank customers alone had been victims of fraud.
Level of fine
It can be argued that the level of fine set by the ICO was influenced by the dates of the breach. In taking action, the ICO recognised that new data protection rules were to come into force under GDPR on 25 May 2018. This resulted in the ICO dealing with the breach from 25 May 2018, despite notifications from various banks and other parties to Ticketmaster regarding the potentially fraudulent activity occurring in early April (if not earlier). This may not only have impacted on the level of fine imposed but also the number of customers which were potentially affected by the breach.
It is also worth noting that a reduction was awarded to Ticketmaster due to financial challenge caused by COVID-19 (reducing the fine from £1.5 million to £1.25 million) – a similar approach taken with the recent Marriott and BA fines. Although time will tell, this could indicate that going forward companies may be able to receive a reduced fine where they are able to demonstrate that they have suffered financial difficulty resulting from COVID-19.
Ticketmaster have indicated that they will appeal the decision of the ICO, and it remains to be seen whether they will follow through on this appeal.
Lessons to take from recent ICO fines
Commenting on the Ticketmaster action, James Dipple-Johnstone (Deputy Commission of the ICO) stated that: “The £1.25 million fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda”. This message is re-enforced by recent action taken by the ICO against both Marriot International and British Airways where both companies were fined for their failure to keep the personal data and financial details of their customers secure.
Going forward, companies should be proactive in their assessment of data protection compliance, in particular carrying out data protection impact assessments (or DPIAs) before implementing new products or solutions will be key in uncovering where there may be issues. As found in the Ticketmaster action, it is not enough to simply rely on third parties, rather businesses should be continually monitoring their compliance and reporting any suspicious activity to avoid action being taken against them.
How can we help?
For further information on data breaches and potential liabilities under UK data protection law, please get in touch with Val Surgenor or any member of our GDPR & Cyber Security team.
This article was co-written by Haris Saleem, Trainee Solicitor.