- PrivacyOneStop

17/11/2020

ICO has fined Ticketmaster UK Limited £1.25million over a data breach

The Information Commissioner's Office (ICO) found that the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page. Ticketmaster’s failure to protect customer information is a breach of the General Data Protection Regulation (GDPR).

Background

The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4million of Ticketmaster’s customers across Europe including 1.5million in the UK.

Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.

The ICO found that Ticketmaster failed to:

    • Assess the risks of using a chat-bot on its payment page
    • Identify and implement appropriate security measures to negate the risks
    • Identify the source of suggested fraudulent activity in a timely manner

Key takeaways

The ICO added: “The malicious actor took advantage of Ticketmaster's inability to detect changes to scripts on its payment page. Following industry guidance could have mitigated this risk. Ticketmaster should have been aware of the risks to personal data in the circumstances”.

The ICO has considered the following mitigating factors:

• Once Ticketmaster removed the chat bot from its website, the Personal Data Breach ended.

• Ticketmaster forced password resets across all of its domains.

• The Commissioner is not aware of any outstanding compliance matters that would suggest that further steps to mitigate the damage or distress suffered by data subjects are required.

• Ticketmaster created a website where customers and media could receive information about the Personal Data Breach.

Ticketmaster has incurred considerable costs in relation to the Infringement, including the cost of twelve months of credit monitoring offered to all affected customers and legal costs.

Ticketmaster tried to argue that "there has been no evidence in the course of the ICO's investigation that the data subject affected by the Incident suffered any harm". However, The Commissioner does not regard the absence of harm upon a data breach to be, of itself, a mitigating factor in the circumstances of the Personal Data Breach.

The press release is available here and the penalty notice here.

Photo by Andy Li on Unsplash.

Tags:

#UK #ICO #Compliance #Monetary Penalty #GDPR

ICO has fined Ticketmaster UK Limited £1.25million over a data breach

Tags:

Latest Articles

Artificial Inteligence for Recruitment Purposes - When is It the Right Choice?

Privacy |

Consent |

Artificial Intelligence |

Compliance |

Privacy Programme |

GDPR |

Individual Rights |

Legitimate Interest |

Privacy Compliance Journey Series: Scope of the Law and Notification Requirements

Privacy |

Compliance |

Privacy Compliance Journey Series |

Privacy Programme |

Overview of the European Commission Draft of Standard Contractual Clauses Between Controllers and Processors Located in the EU

Privacy |

Standard Contractual Clauses |

Compliance |

GDPR |

European Commission |

Controller |

Processor |

Latest News

The Office of the Australian Information Commissioner Issues a Summary of 10 Steps to Undertaking a Privacy Impact Assessment

Privacy |

Compliance |

Australia |

Privacy Impact Assessment |

OAIC |

EDPB and EDPS Joint Opinion 1/2021

Standard Contractual Clauses |

GDPR |

European Data Protection Board |

European Data Protection Supervisor |

Singapore PDPC Issues a Guide to Job Redesign in the Age of AI

Guidelines |

Artificial Intelligence |

Compliance |

Singapore |

Personal Data Protection Commission |

Categories:

Tags:

PrivacyOneStop and Cookies