Ticketmaster fined £1.25 million by ICO for security fails

On 13th November 2020 Ticketmaster was fined £1.25 million by the UK Information Commissioner’s Office for failing to keep its customers’ personal data secure. The ICO found that Ticketmaster had breached the requirements of  Articles 5(1)(f) and 32 of the EU GDPR in failing to implement appropriate security measures to prevent a cyber attack.

 

The background

Although the penalty relates only to the period following the GDPR coming into force, in May 2018, the breach was found to have started in February 2018, when malicious code was injected into a chatbot on Ticketmaster’s payment page. This code allowed the attacker to harvest payment data from Ticketmaster users. The chatbot was disabled in June 2018 and the ICO notified of the breach on 23rd June 2018.  Affected individuals were notified on 28th June 2018.

The ICO found that Ticketmaster had “failed to implement a layered approach to security,” which they felt would have been appropriate under the circumstances. The ICO also found that Ticketmaster was unaware of a “supply chain attack” (such as the provider of the chatbot) and that they should have risk-assessed the implementation of third-party scripts.

 

How did they decide on the fine?

Although the ICO felt that there was no financial gain to Ticketmaster as a result of the breach, they did consider:

  • The number of individuals affected

  • The lack of consideration demonstrated by Ticketmaster in not protecting personal data

  • Ticketmaster’s negligence in assuming that their third-party supplier would provide adequate security

  • Ticketmaster’s failure to follow industry standards that might have reduced or removed the risk

 

This was set against the fact that Ticketmaster had incurred considerable costs in creating a website to provide information about the breach, arranging for 12 months of credit monitoring for affected individuals, as well as forcing password resets across all of its domains. 

The original £1.5million fine was revised down to £1.25 million to take into account the impact of the COVID-19 pandemic on Ticketmaster’s business.