The UK’s Information Commissioner’s Office (“ICO”) has issued a fine of £1.25million against Ticketmaster UK Limited for a personal data breach occurring between February 2018 and June 2018 that affected 9.4 million data subjects. The final penalty notice takes into consideration only the period between 25 May 2018 and 24 June 2018 (a period when the General Data Protection Regulation “GDPR” has been applicable).
The ICO found that Ticketmaster failed to process personal data in a manner that ensured appropriate level of security of the personal data, including the protection against unauthorised or unlawful processing and against accidental, loss, destruction or damage as required by the Articles 5(1)(f) and 32 of the GDPR.
Facts of the case
On 6 April 2018, around 50 customers of Monzo Bank (“Monzo”) reported on fraudulent transactions on their accounts. According to Monzo, one of its customers accidentally inputted the wrong expiry date of his credit card on Ticketmaster’s website so the transaction failed. However, that same credit card with the same inputted expiry date was when used in an attempted fraudulent transaction. Monzo described this as “smoking gun” proof that Ticketmaster’s website was the source of the personal data breach.
In May 2018, a Twitter user tweeted a picture of an error message on the Tickermaster’s website stating that one of the files used on Tickermaster’s website has been compromised with a malicious code.
Naturally Ticketmaster alleged that Inbenta had been in breach of its contractual obligations by not keeping its software “free from malware”. Moreover, it responded to ICO’s Notice of Intent to impose a penalty that its adopted security measures were reasonable, proportionate and appropriate.
Findings by the ICO
Having carefully examined the available evidence, the ICO found there were multiple failures by Ticketmaster to put in place appropriate technical or organisational measures to protect the personal data as required by the GDPR.
The GDPR required Ticketmaster to ensure the confidentiality, integrity, availability and resilience of its processing systems and services. In particular, Ticketmaster was required to ensure that only authorized changes were made to its websites that processed personal data, including payment pages.
See the ICO’s penalty notice here.