Online ticketing company Ticketmaster UK has been hit with a £1.25m fine by the Information Commissioners Office (ICO) for not putting adequate cybersecurity in place around a payment chatbot, breaching GDPR rules.
The data breach, which included names, payment card numbers, expiry dates and CVV numbers, put some 9.4 million Ticketmaster customers across Europe at risk and was directly to blame for 60,0000 cards belonging to Barclay’s Bank customers actually being defrauded.
An additional 6,000 Monzo Bank cards were replaced after the start-up bank suspected fraudulent use.
The ICO said that Ticketmaster had failed to assess the risks of using a chat-bot on its payment page, to identify and implement appropriate security measures to negate the risks, as well as failing to identify the source of suggested fraudulent activity in a timely manner.
James Dipple-Johnstone, Deputy Commissioner at the ICO said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. Ticketmaster should have done more to reduce the risk of a cyber-attack. It’s failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”
Dipple-Johnstone added: “The £1.25m fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
The breach began in February 2018 when Monzo Bank customers reported fraudulent transactions. This was followed by The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all then reporting indications of fraud to Ticketmaster. However, no action was taken by Ticketmaster for nine weeks.
The ICO’s investigation found that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details.
Commenting on the fine, Rob Johnson, chairman of Telecom 2, which provides telecoms services and age verification services, said: “Having read through the ICO findings against Ticketmaster, it would seem the problem was with a 3rd party chatbot software provider. The chatbot was provided for the purpose of customer support on the payments page, and a vulnerability in the script allowed open visibility of card data as it flowed across the payments page. Although the company providing the software was ISO 27001 accredited they, crucially, it was not PCI DSS compliant. I personally think both forms of compliance are essential when choosing a software partner for payments and, in this case, it would have saved Ticketmaster £1.25m and a lot of adverse publicity.”