Minerva Studio - stock.adobe.com

Ticketmaster fined £1.25m by ICO for failing to protect customer data

Ticket website’s customer data was exposed through an attack on a third-party chatbot

Ticketmaster has been fined £1.25m by the Information Commissioner’s Office (ICO) for failing to protect customer data from cyber attackers.

A data breach, which began in February 2018, was revealed when customers of Monzo Bank reported fraudulent transactions.

Affected websites include Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb.

The fine follows an ICO investigation that found a chatbot on the company’s online payment page put it in breach of the General Data Protection Regulation (GDPR).

“The investigation found that Ticketmaster’s decision to include the chatbot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details,” said the ICO.

The names and card details of 9.4 million Ticketmaster customers across Europe, including 1.5 million in the UK, were potentially exposed.

Financial services firms affected included the Commonwealth Bank of Australia, Barclays Bank, Monzo, Mastercard and American Express, which all reported possible fraud to Ticketmaster. “But the company failed to identify the problem,” said the ICO.

The ICO found that as a result, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Meanwhile, Monzo Bank replaced 6,000 cards after it suspected fraudulent use.

James Dipple-Johnstone, deputy information commissioner, said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.

“Ticketmaster should have done more to reduce the risk of a cyber attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”

Dipple-Johnstone said the fine served as a message to other organisations that looking after customers’ personal details safely should be a top priority.

The ICO said Ticketmaster failed to assess the risks of using a chatbot on its payment page, failed to identify and implement appropriate security measures to negate the risks, and to identify the source of suggested fraudulent activity in a timely manner.

“In total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page,” said the ICO.

Read more about the ICO’s work

Read more on Data breach incident management and recovery