Ticketmaster data breach fine – appeal stayed until 2023

The First-tier Tribunal (Information Rights) has approved Ticketmaster's application to stay proceedings over the cyber-attack that potentially compromised the data of 9.4 million of its customers.

The ICO issued a £1.25m monetary notice against Ticketmaster in November 2020, for failing to appropriately secure customer data in a cyber incident that occurred in 2018. Ticketmaster had a chat bot, hosted by a third party, on its website including on its payment page. The JavaScript code in this chat bot was compromised and led to customer details, including some financial details, being unlawfully processed. The ICO found Ticketmaster had breached Articles 5(1)(f) and 32 of the GDPR, namely the failure to protect payment details. For full details and background to the case please see our previous article here.

Ticketmaster appealed against the above decision in December 2020 on the basis that it did not breach its obligations under the GDPR; and that the penalty imposed was either not justified or was excessive. They have since requested a stay of the appeal, advancing a number of reasons concerning recent related High Court proceedings that they wish to await the judgment of before the Tribunal hears the case. The High Court proceedings concern a group action claim by 795 Ticketmaster customers who allege that their personal data was compromised as a result of the cyber-attack; and a Part 20 action commenced by Ticketmaster against the supplier of the chat-bot involved in the attack.

Such stays are an exception, rather than the norm. The Tribunal also noted that there were compelling reasons as to why the stay should not be granted. However, it determined that, on balance, the Tribunal would be materially assisted by a substantive judgment from the High Court proceedings. Those proceedings would be likely to determine points on common issues of law such as the proper approach to the application of Article 5(1)(f) of the GDPR - i.e. that data shall be processed in a way as to maintain its integrity and confidentiality - in cyber-security disputes where the data controller did not process the personal data that was in fact compromised. The Tribunal would be bound by any conclusions arrived at by the High Court on these matters.

The stay was therefore granted until 28 days after the High Court judgment will be handed down.

The granting of this stay means that the Tribunal is unlikely to hear Ticketmaster's appeal until Q3/Q4 of 2023. That suggests the conclusion of this enforcement process will not be arrived at until five years after the original incident took place and three years after the ICO handed down its £1.25m fine. It's an unfortunate decision for the ICO, as it will cause a lengthy delay in recovering the fine and may even result in a significant reduction (if they receive the fine at all that is). It contributes to an unhelpful narrative for the ICO whereby its fines are seen as potentially vulnerable to challenge, particularly in the wake of its heavy discounts on fines already issued to British Airways and Marriott International.

Finally, although the Tribunal noted that a stay will only be available in a minority of cases, identifiable on a case by case basis, this decision highlights the ability of organisations to delay enforcement action or attempt to reduce penalties imposed for data protection related breaches in the UK.