Ticketmaster hit with £1.25m ICO fine for chatbot-related data breach

Tyrone Stewart

Ticketmaster UK has been handed a £1.25m fine by the Information Commissioner’s Office (ICO) for a data breach which may have affected more than 9m of Ticketmaster’s customers across Europe. The decision comes not long after the ICO hit Marriott International and British Airways with fines of £18.4m and £20m respectively.

Ticketmaster’s fine relates to a breach, which included names, payment card numbers, expiry dates, and CVV numbers, that may have affected 9.4m Ticketmaster customers across Europe – including 1.5m in the UK.

The ICO’s investigators found that 60,000 payment cards belonging to Barclays customers had been affected by fraud as a result of the breach. Another 6,000 cards were replaced by Monzo after the mobile bank suspected fraudulent use.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” said James Dipple-Johnstone, Deputy Commissioner. “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The breach, which stemmed from a third-party chatbot on the company’s online payment page, began back in February 2018 but the ICO’s penalty only relates to the breach from 25 May 2018 – when GDPR came into effect. The chatbot allowed the attacker to access customers’ financial details.

Despite Monzo, The Commonwealth Bank of Australia, Barclaycard, Mastercard, and American Express all reporting their concerns about fraud to Ticketmaster, it took the ticket company nine weeks to begin monitoring network traffic through its online payment page.

“This particular case sends a stark warning to organisations that GDPR compliance is both people and technology driven. It is the duty of every person within an organisation to know their responsibilities under the GDPR and this includes being accountable for all technology used. Despite it being a third party’s chatbot software that created a gateway for this data breach, the onus is still on Ticketmaster to ensure that any technology they use is secure,” said Chris Combemale, CEO at Data & Marketing Association.

“Within a month, the ICO has now issued several record-breaking fines in response to significant security failures by organisations who are responsible for the data of millions of customers. Data privacy is not a tick-box exercise, organisations must continue to invest in keeping their customers’ data secure. Otherwise they will face penalties that could prove far more costly to the business.”