The Information Commissioner’s Office (ICO) has fined Ticketmaster UK Limited £1.25 million over a data breach that exposed the personal information of millions of consumers.
The ICO found the company’s security measures were not adequate to prevent the cyberattack, which happened through a chatbot on Ticketmaster’s online payment page beginning in early 2018.
ICO Investigates Ticketmaster Cyberattack
About 9.4 million European Ticketmaster consumers had their names and payment card numbers — including their expiration dates and CVV numbers — breached in the cyberattack. About 1.5 million of those were in the U.K., according to the ICO.
About 60,000 Barclays Bank customer payment cards had been exposed to fraud, the ICO investigation found. And Monzo Bank replaced an additional 6,000 cards after fraud was suspected.
In February 2018, Monzo Bank customers started reporting suspicious transactions, and the Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suspicions of potential fraud to Ticketmaster, the ICO reported.
However, the company didn’t identify the issue right away.
According to the ICO, the company took nine weeks between being alerted to the potential fraudulent activity and beginning to monitor the traffic through the online payment page.
Through its investigation, the ICO determined the cyberattacker was able to access customer information due to Ticketmaster’s decision to use a third-party chatbot on the payment page.
The ICO investigation revealed Ticketmaster had failed to not only implement proper security measures, but also to properly assess the risks associated with using a chatbot on its payment page and to identify the source of the fraud in a timely way.
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” ICO deputy commissioner James Dipple-Johnstone said, adding Ticketmaster should have done more to reduce the risk of an attack.
“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
Ticketmaster Appealing ICO Fine
The new General Data Protection Regulation (GDPR) came into effect 25 May 2018, meaning the £1.25 million fine only covers the breach from that point on, rather than from February 2018, when the cyberattack began, according to the ICO.
Ticketmaster removed the chatbot from its site on 23 June 2018.
Because the data breach occurred before the U.K. left the EU, the ICO investigated on European authorities’ behalf.
EU Data Protection Authorities have approved the fine through the GDPR cooperation procedures.
Ticketmaster has said while it takes customer data privacy “very seriously,” it plans on appealing the fine.
“Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO,” Ticketmaster said in a statement, according to the BBC. “We plan to appeal [against] today’s announcement.”
Inbenta was the third-party company involved in managing the chatbot.
Law firm Keller Lenkner announced it will be pursuing legal action against Ticketmaster on fraud victims’ behalf.
“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” the firm’s head of cybercrime told the BBC.
Data Breaches Put Millions of Consumers at Risk
The ICO has issued similar fines over data breaches in the past.
In late October, the regulator fined Marriott International $18.4 million after the private information of millions of customers was breached.
In that 2014 data breach, 339 million customer records worldwide were compromised.
The cyberattacker had installed code on a Starwood Hotels system, but it wasn’t discovered until September 2018, shortly after Marriott acquired Starwood.
During the time the cyberattacker had access to the system, they installed malware, as well as other tools designed to collect login details from other users.
The cyberattacker remains unknown.
A group litigation is being pursued in the Marriott data breach.
U.K. law firms also are accepting claimants for a class action lawsuit over a 2015 TalkTalk data breach.
In that breach, thousands of customers’ personal information was exposed, including bank account numbers, names and addresses.
Customers say TalkTalk did not inform them of the breach, and it’s believed the information may have been online without their knowledge since the breach happened.
The cyberattacker in that case accessed the information of about 157,000 customers; about 15,000 of them had bank account numbers compromised.
Have you ever used Ticketmaster? Are you worried that your personal information was compromised in the Ticketmaster data breach? Tell us your thoughts in the comment section below.
Check back daily for the most recent U.K. class action lawsuit and consumer protection news.
Top Class Actions is a Proud Member of the American Bar Association
LEGAL INFORMATION IS NOT LEGAL ADVICE
©2008 – 2021 Top Class Actions® LLC
Various Trademarks held by their respective owners
This website is not intended for viewing or usage by European Union citizens.
Please note: Top Class Actions is not a settlement administrator or law firm. Top Class Actions is a legal news source that reports on class action lawsuits, class action settlements, drug injury lawsuits and product liability lawsuits. Top Class Actions does not process claims and we cannot advise you on the status of any class action settlement claim. You must contact the settlement administrator or your attorney for any updates regarding your claim status, claim form or questions about when payments are expected to be mailed out.