The Information Commissioner’s Office may have reined in the headline grabbing fine for its latest GDPR ruling by whacking Ticketmaster UK with a more modest £1.25m penalty, but the regulator still faces a costly legal battle to defend the ruling after the live entertainment giant confirmed it will appeal the decision.
The move comes just weeks after the conclusion of a 15-month challenge by both British Airways and Marriott International, following planned mega fines. Both firms managed to hammer down the eventual penalties by nearly 90%, BA’s dropped from £183m to £20m, while Marriott’s was slashed from £99m to £38.5m.
No doubt Ticketmaster’s lawyers will be studying those cases carefully, after the ICO ruled the company had failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.
The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4 million of Ticketmaster’s customers across Europe including 1.5 million in the UK.
The breach began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the company failed to identify the problem.
In total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.
The ICO’s investigation found that Ticketmaster’s decision to include the chat-bot, hosted by third party Inbenta Technologies, on its online payment page allowed an attacker access to customers’ financial details.
Although the breach began in February 2018, the penalty only relates to the breach from May 25 2018, when GDPR came into effect. The chat-bot was completely removed from Ticketmaster UK’s website on June 23 2018.
Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.
ICO deputy commissioner James Dipple-Johnstone said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
“The £1.25m fine we’ve issued will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
Industry body the DMA, which last week accused the ICO of sending out mixed messages, said the ruling is a stark warning to organisations that GDPR compliance is both people and technology driven.
Chief executive Chris Combemale said: “It is the duty of every person within an organisation to know their responsibilities under the GDPR and this includes being accountable for all technology used. Despite it being a third party’s chatbot software that created a gateway for this data breach, the onus is still on Ticketmaster to ensure that any technology they use is secure.
“Within a month, the ICO has now issued several record-breaking fines in response to significant security failures by organisations who are responsible for the data of millions of customers. Data privacy is not a tick-box exercise, organisations must continue to invest in keeping their customers’ data secure. Otherwise they will face penalties that could prove far more costly to the business.”
However, a Ticketmaster spokesperson said: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal the announcement.”
DMA wades into ICO row over axed adtech investigation
Experian lawyers set for long battle against ICO ruling
Experian given ultimatum to delete dodgy data or else
ICO and Irish DPC ‘among the worst GDPR enforcers’
Deceptive data processing sparks biggest GDPR fines
Marriott hammers down GDPR fine from £99m to £18m
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Once more with feeling: Marriott wins new delay to fine
Fresh delay to Marriott and BA fines fuels ICO criticism
BA and Marriott block £282m GDPR fines – yet again
BA and Marriott to escape GDPR mega fines…for now
ICO issues first GDPR fine, but it’s not BA or Marriott