The Information Commissioner's Office (ICO) found that the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page. Ticketmaster’s failure to protect customer information is a breach of the General Data Protection Regulation (GDPR).
The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4million of Ticketmaster’s customers across Europe including 1.5million in the UK.
Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.
The ICO found that Ticketmaster failed to:
• Assess the risks of using a chat-bot on its payment page
• Identify and implement appropriate security measures to negate the risks
• Identify the source of suggested fraudulent activity in a timely manner
The ICO added: “The malicious actor took advantage of Ticketmaster's inability to detect changes to scripts on its payment page. Following industry guidance could have mitigated this risk. Ticketmaster should have been aware of the risks to personal data in the circumstances”.
The ICO has considered the following mitigating factors:
• Once Ticketmaster removed the chat bot from its website, the Personal Data Breach ended.
• Ticketmaster forced password resets across all of its domains.
• The Commissioner is not aware of any outstanding compliance matters that would suggest that further steps to mitigate the damage or distress suffered by data subjects are required.
• Ticketmaster created a website where customers and media could receive information about the Personal Data Breach.
Ticketmaster has incurred considerable costs in relation to the Infringement, including the cost of twelve months of credit monitoring offered to all affected customers and legal costs.
Ticketmaster tried to argue that "there has been no evidence in the course of the ICO's investigation that the data subject affected by the Incident suffered any harm". However, The Commissioner does not regard the absence of harm upon a data breach to be, of itself, a mitigating factor in the circumstances of the Personal Data Breach.