The Information Commissioner’s Office (ICO) continues to take no prisoners with handing out stiff financial penalties for data breaches.
The latest recipient is Ticketmaster UK, after the ICO announced it was fining “Ticketmaster UK Limited £1.25million for failing to keep its customers’ personal data secure.”
It comes after the ICO last month lowered its fine for Marriott data breach to £18.4m, down from a £99 million fine issued last year.
The stiff financial penalty against Ticketmaster was because “the ICO found that the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.”
It said Ticketmaster’s failure to protect customer information was a breach of the General Data Protection Regulation (GDPR).
The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4million of Ticketmaster’s customers across Europe including 1.5million in the UK.
Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.
But really sealed Ticketmaster’s fine was the ICO had found the firm had failed to assess the risks of using a chat-bot on its payment page; failed to identify and implement appropriate security measures to negate the risks; and failed to identify the source of suggested fraudulent activity in a timely manner.
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” explained James Dipple-Johnstone, Deputy Commissioner.
“Ticketmaster should have done more to reduce the risk of a cyber-attack,” said Dipple-Johnstone. “Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”
“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda,” he added.
The ICO noted that it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.
Ticketmaster has said it would appeal against the fine.
“Ticketmaster takes fans’ data privacy and trust very seriously,” the firm was quoted by the BBC as saying.
“Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today’s announcement.”