Ticketmaster UK fined by ICO following huge data breach

(Image credit: Shutterstock / Askobol)

Ticketmaster UK has been fined £1.25m by the Information Commissioner’s Office (ICO) following a data breach that left its customers' personal details open to attack.

The online ticket marketplace suffered a major cyberattack in February 2018 which saw 9.4m customers across Europe, including 1.5million in the UK, affected.

The ICO has ruled that Ticketmaster UK failed to keep its customers’ personal data secure, and the company's security failings constituted a breach of GDPR.

GDPR breach

The breached data included names, payment card numbers, expiry dates and CVV numbers, meaning customers could have potentially lost out from their personal savings and accounts. 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud since the attack, and another 6,000 cards had to be replaced by Monzo Bank after it suspected fraudulent use.

The ICO says its investigation found Ticketmaster UK failed to put appropriate security measures in place to prevent a cyberattack on a chatbot installed on its online payment page. 

The company also failed to identify and implement appropriate security measures to negate the risks, and identify the source of suggested fraudulent activity in a timely manner, taking nine weeks after originally being alerted to start monitoring suspect traffic.

The affected chatbot was only removed from Ticketmaster UK's website on 23 June 2018, opening up even more customers to attack.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not," ICO deputy commissioner James Dipple-Johnstone said.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. It’s failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

Ticketmaster could have faced an even higher fine had the breach occured several months later, as the ICO noted that its penalty only related to activity after May 25 2018, the date when GDPR became law. 

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.