Ticketmaster is refusing to pay all compensation claims from its 2018 data breach, arguing it is not liable for many of the fraudulent transactions through its website because the first five weeks of the incident were not covered by the recent GDPR enforcement action against the business.
The data breach in question began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster but the company failed to identify the problem.
A subsequent Information Commissioner’s Office investigation found that a chat-bot, hosted by Inbenta Technologies, had allowed an attacker to access customers’ financial details, although it took Ticketmaster more than nine weeks to act.
However, in an effort to increase the resultant fine from a maximum of £500,000 under the old regime to the eventual £1.25m, the ICO had to pick the dates carefully.
This meant its ruling only related to the four-week period from May 25 2018, when GDPR came into force, to June 23 2018, when the chatbot was removed. The five weeks beforehand were not covered, even though fraudulent activity was rife.
The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4 million Ticketmaster customers across Europe, including 1.5 million in the UK.
One customer who was affected during this earlier period travelled to the US in February 2018 and, while there, both his debit and credit cards were cancelled by his bank following a fraudulent attempt to use them on Ticketmaster. Having struggled to find alternative sources of money while in America, the man demanded compensation from Ticketmaster.
In a letter seen by The Register, Ticketmaster’s lawyers responded: “We are writing to inform you that the ICO has finished its investigation and published its findings in November 2020. The ICO made no findings about any contraventions by our client of its duties over the period during which you transacted with our client using your account. Accordingly, our client’s concluded position is that it has no liability to you arising from the Data Security Incident and, for that reason, it considers your inquiry closed and will not be providing compensation.”
In response, an ICO spokesperson said: “The £1.25m fine issued to Ticketmaster was in relation to infringements of the GDPR which only came into force on May 25 2018. Whilst the fine therefore could only relate to infringements from May 25 2018, prior to that date Ticketmaster would still have had to comply with the Data Protection Act 1998.”
Ticketmaster has yet to publicly comment on the issue, although as it has already launched an appeal against the ICO ruling.
Ticketmaster preps band of lawyers to fight GDPR fine
We can screw Virgin Media for billions, claims law firm
Give data breach victims more power, ministers urged
Dentists bare teeth against BDA in breach legal action
Google faces £2bn GDPR class action over kids’ privacy
TalkTalk customers seek payout for double data breach
Law firm pounces on EasyJet breach with £18bn claim
Over 10,000 customers join EasyJet data breach action
Marriott faces data loss claim – will it open floodgates?