Ticketmaster drops GDPR appeal and pays £1.25m fine

Ticketmaster has finally caved in to the Information Commissioner’s Office ruling that it was in breach of GDPR, pulling out of its protracted appeal to agree to settle the £1.25m fine, first issued in November 2020.

The move comes just three months after the online ticketing site coughed up compensation to more than a thousand customers who had their personal details stolen, although the settlement included no admission of liability.

The data breach in question began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster but the company failed to identify the problem.

The ICO investigation found that a chat-bot, hosted by Inbenta Technologies, had allowed an attacker to access customers’ financial details – including names, payment card numbers, expiry dates and CVV numbers – although it took Ticketmaster more than nine weeks to act.

However, in an effort to increase the fine from a maximum of £500,000 under the old regime to the eventual £1.25m under GDPR, the ICO’s ruling only related to the four-week period from May 25 2018, when GDPR came into force, to June 23 2018, when the chatbot was removed.

The five weeks beforehand were not covered, even though fraudulent activity was rife. Many customers were denied any compensation.

At the time of the ICO ruling, in November 2020, deputy commissioner James Dipple-Johnstone said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

“The £1.25m fine we’ve issued will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”