Business News Digital Legal Live Business Top Stories

Ticketmaster fined £1.25 million over 2018 data breach

By | Published on Monday 16 November 2020


The office of the UK’s Information Commissioner confirmed on Friday that it was fining Live Nation’s Ticketmaster £1.25 million in relation to a data breach of the ticketing firm’s website back in 2018.

Ticketmaster UK confirmed that it had identified a major security breach on its system in late June 2018. At the time the company said the breach was caused by malicious software on a third-party customer support product it used hosted by tech company Inbenta Technologies.

That product was immediately disabled across the firm’s websites and all the customers who might have been affected were contacted.

Digital bank Monzo subsequently revealed that it had spotted the breach several months earlier, adding that it had alerted the ticketing firm to the problem on 12 Apr, more than two months before Ticketmaster actually alerted customers to the issue.

In a statement on Friday, the ICO said its investigation had concluded that the data breach occurred because Ticketmaster failed to put appropriate security measures in place to prevent a cyber attack on a chatbot installed on its online payment page. Doing so broke data protection laws, and meant that credit card data for potentially millions of the company’s customers were accessed by hackers.

“Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud”, the ICO added. “Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use”.

Commenting on the fine, the Deputy Information Commissioner James Dipple-Johnstone stated: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. Ticketmaster should have done more to reduce the risk of a cyber attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud”.

He added: “The £1.25 million fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda”.

In its response to the ICO’s statement, Ticketmaster confirmed it planned to appeal. Insisting the company “takes fans’ data privacy and trust very seriously”, it added: “Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today’s announcement”.

Ticketmaster also faces civil legal action from customers over the data breach. The lawyer who launched a lawsuit on behalf of 650 allegedly affected ticket-buyers last year, Kingsley Hayes, now with law firm Keller Lenkner, told the BBC this weekend that there was a particularly strong case against the ticketing company because “while several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers”.