ICO fines Ticketmaster £1.25million over a data breach

The UK’s Information Commissioner’s Office (“ICO”) has issued a fine of £1.25million against Ticketmaster UK Limited for a personal data breach occurring between February 2018 and June 2018 that affected 9.4 million data subjects. The final penalty notice takes into consideration only the period between 25 May 2018 and 24 June 2018 (a period when the General Data Protection Regulation “GDPR” has been applicable).


The ICO found that Ticketmaster failed to process personal data in a manner that ensured appropriate level of security of the personal data, including the protection against unauthorised or unlawful processing and against accidental, loss, destruction or damage as required by the Articles 5(1)(f) and 32 of the GDPR.


Facts of the case


On 6 April 2018, around 50 customers of Monzo Bank (“Monzo”) reported on fraudulent transactions on their accounts. According to Monzo, one of its customers accidentally inputted the wrong expiry date of his credit card on Ticketmaster’s website so the transaction failed. However, that same credit card with the same inputted expiry date was when used in an attempted fraudulent transaction. Monzo described this as “smoking gun” proof that Ticketmaster’s website was the source of the personal data breach.


In May 2018, a Twitter user tweeted a picture of an error message on the Tickermaster’s website stating that one of the files used on Tickermaster’s website has been compromised with a malicious code.


Ticketmaster had contracted with Inbenta Technologies Inc. (“Inbenta”) to provide it with a chatbot for the Ticketmaster’s websites. The JavaScript files used for the chatbot were hosted on the Inbenta’s server.


An attacker had directed its attack at the Inbenta’s servers and managed to insert malicious code into the JavaScripts used for the chatbot. Because Ticketmaster had included the chatbot also to its payment pages, the malicious code managed to ‘scrape’ and sent back to the attacker the names, payment card numbers, expiry dates and CCV numbers.


Naturally Ticketmaster alleged that Inbenta had been in breach of its contractual obligations by not keeping its software “free from malware”. Moreover, it responded to ICO’s Notice of Intent to impose a penalty that its adopted security measures were reasonable, proportionate and appropriate.


Findings by the ICO


Having carefully examined the available evidence, the ICO found there were multiple failures by Ticketmaster to put in place appropriate technical or organisational measures to protect the personal data as required by the GDPR.


The GDPR required Ticketmaster to ensure the confidentiality, integrity, availability and resilience of its processing systems and services. In particular, Ticketmaster was required to ensure that only authorized changes were made to its websites that processed personal data, including payment pages.


According to ICO, implementing third party JavaScripts into a website or chatbot has, for some time, been a known security risk. The risk is greater when such JavaScripts are implemented into web pages that process payment card details.


See the ICO’s penalty notice here.