Global ticket seller Ticketmaster has been fined AUD $2.2 million for failing to prevent a data breach that resulted in a controversy that impacted more than 9.4 million of its European customers.
The fine for Ticketmaster was handed down by the UK’s Information Commissioner’s Office (ICO) who said that Ticketmaster’s failure to “put appropriate security measures in place,” was the main reason for the £1.25 million (AUD $2.2 million) fine, after a massive 2018 data breach saw private information of millions of its customers targeted by hackers.
Specifically, the ICO says that hackers targeted a vulnerability in Ticketmaster’s chat bot, to which the ICO said Ticketmaster had “failed to put appropriate security measures in place to prevent a cyber attack on a chat-bot installed on its online payment page.”
This lead the Information Commissioner’s Office to hand down the $2.2 million fine to Ticketmaster for its failure to prevent a data breach, stating specifically that Ticketmaster failed to:
- Assess the risks of using a chat-bot on its payment page
- Identify and implement appropriate security measures to negate the risks
- Identify the source of fraudulent activity in a timely manner
To make things worse for Ticketmaster, Keller Lenker, a UK based law firm has told the BBC that it will be launching a legal case against Ticketmaster regarding the data breach and subsequent acts of fraud against customers using its services.
“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” Kingsley Hayes, head of cyber crime at Keller Lenker said.
Reports state that Ticketmaster in June of 2018 “found malware within a customer chat function for its websites, hosted by Inbenta Technologies. Worryingly, the malicious code was found to be accessing an array of information, including names, address, email address, telephone number, payment details and Ticketmaster login details.”
ThreatPost writes that “it later came to light that the attack was the work of the Magecart gang, known for injecting payment skimmers into vulnerable website components.”
The ICO says that Ticketmaster failed to detect the malware in its system for a number of months, to which Ticketmaster has admitted. International customers using Ticketmaster’s system between September 2017 and June 2018 have been impacted, while UK customers that purchased tickets between February and June of 2018 were also impacted.
The ICO’s Deputy Commissioner, James Dipple-Johnstone has said that “when customers handed over their personal details, they expected Ticketmaster to look after them… but they did not.”
“Ticketmaster should have done more to reduce the risk of a cyber attack,” he said, adding that “it’s failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”
“The £1.25 million fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda,” Johnstone concluded.
The ICO says that the breach was discovered in February of 2018 when customers of Monzo Bank reported a number of transactions it believed were fraudulent to Ticketmaster. Australia’s Commonwealth Bank, Barclaycard and Mastercard soon followed with a number of their own fraud reports to Ticketmaster, who reportedly “failed to identify the problem.”
The ICO’s investigators found 60,000 Barclays bank cards had been used by fraudsters, while 6,000 Monzo bank cards were replaced by the bank after being classified as a potential avenue of fraud.
“In total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page… The ICO’s investigation found that Ticketmaster’s decision to include the chat-bot hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details,” the ICO says.
Ticketmaster has said that it would be appealing the ICO’s ruling.
The company has said in a statement that “Ticketmaster takes fans’ data privacy and trust very seriously,” adding that “since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal against today’s announcement,” it said.