Ticketmaster is fined £1.25m for data breach

It's been a busy month for the ICO, which issued its third major GDPR fine last week, this time a £1.25m fine to Ticketmaster for failing to appropriately secure customer data in a cyber incident in 2018. The fine has been reduced from the £1.5m initially suggested when the ICO announced its intention to fine Ticketmaster continuing a trend seen in relation to British Airways and Marriott International. However, that still takes the ICO to three data breach fines totalling £39.65m in less than a month. Proportionately, this reduction pales compared to those seen in the fines levied on BA and Marriott, which ended up at between 10% and 20% of the initial fines suggested (see our articles on these ICO fines here and here). Ticketmaster has said it will appeal the ICO's decision.

The Ticketmaster fine relates to a cyber-attack which took place in 2018, which potentially compromised data of 9.4 million of Ticketmaster's customers. Ticketmaster had a chat bot, hosted by a third party, on its website including on its payment page. The JavaScript code in this chat bot was compromised and led to customer details, including some financial details, being unlawfully processed. Around 60,000 Barclays cards were subjected to known fraud and around a further 6,000 Monzo cards were replaced for suspected fraudulent use. Whilst the cyber-attack began in February 2018, the fine relates only to the period of time between the introduction of the GDPR on 25 May 2018 and the removal of the chat bot on 23 June 2018.

In its Penalty Notice, the ICO notes that Ticketmaster failed to negate the well-established risk of implementing third-party JavaScripts into a website or chat bot. The ICO further notes that Ticketmaster:

• could have implemented various technical measures to mitigate or remove the risk, such as using SRI (sub-resource integrity), or not having the chat bot on its payment page at all;
• ought to have been aware of the increased severity and likelihood of an attack, with attackers more likely to attack for financial data and through a third-party supply chain where security measures may be less secure; and
• was inefficient in its response to the incident.

It is noted that Ticketmaster fully cooperated with the ICO and provided evidence upon request, save for certain financial information in relation to its current financial position and the government support it was receiving as a result of the COVID-19 pandemic. The fine was reduced having regard to the impact of the COVID-19 pandemic, though not by nearly as much proportionately as we have seen with BA and Marriott. In determining the reduction, the ICO also considered remedial measures taken by Ticketmaster including the removal of the chat bot from its website, forcing password resets across all of its domains and creating a website where customers and the media could receive information about the data breach. However, it appears the principal reason for what the ICO describe as an "exceptional reduction" is the impact of the pandemic on Ticketmaster's business.

Given that the ICO seems to have woken up in the last month, with data breach fines now totalling £39.65m and a number of other enforcement measures taken and investigations concluded, it will be interesting to see whether it keeps up the same pace over the medium term or whether this flurry is simply the result of a build up of long unresolved cases being further delayed by lockdown.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.