Ticketmaster UK has been fined £1.25 million for failing to keep its customers' personal data secure.
The Information Commissioner’s Office (ICO) found that the Live Nation-owned company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.
The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4 million of Ticketmaster’s customers across Europe, including 1.5m in the UK.
Deputy commissioner James Dipple-Johnstone said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25 milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
According to the ICO’s investigation, Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details.
The breach began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the ICO said Ticketmaster failed to identify the problem and took nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.
Although the breach began in February 2018, the penalty only relates to the breach from May 25, 2018, when new General Data Protection Regulation (GDPR) rules came into effect. The chat-bot was removed from Ticketmaster UK’s website in June 2018.