Ticketmaster has finally caved in to legal action over its 2018 data breach, coughing up compensation to more than a thousand customers who had their personal details stolen, although the settlement includes no admission of liability.
The data breach in question began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster but the company failed to identify the problem.
A subsequent Information Commissioner’s Office investigation found that a chat-bot, hosted by Inbenta Technologies, had allowed an attacker to access customers’ financial details – including names, payment card numbers, expiry dates and CVV numbers – although it took Ticketmaster more than nine weeks to act.
However, in an effort to increase the fine from a maximum of £500,000 under the old regime to the eventual £1.25m under GDPR, the ICO had to pick the dates carefully.
This meant its ruling only related to the four-week period from May 25 2018, when GDPR came into force, to June 23 2018, when the chatbot was removed. The five weeks beforehand were not covered, even though fraudulent activity was rife. Many customers were denied any compensation.
The High Court action was launched by legal firm Keller Lenkner UK on behalf of UK victims of the breach.
In a statement, the firm said: “Claimants represented by Keller Lenkner have settled their High Court group action against Ticketmaster. The claims for compensation were brought by in excess of 1,000 customers who claimed their data was compromised as a result of a cyberattack perpetrated on software supplied to Ticketmaster by a third party and operated on that third party’s systems and servers.
“Ticketmaster denies liability for the claims and the settlement has been made on a no admission basis. The terms of the settlement are otherwise confidential.”
The company’s appeal against the ICO fine, which had been delayed by the court action, will now proceed.
At the time of the ruling, a Ticketmaster spokesperson said: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.”
Related stories
Ticketmaster rips up data breach compensation claims
Ticketmaster preps band of lawyers to fight GDPR fine
EasyJet ‘slap on wrist’ shoots down £18bn class action
Supreme Court rejects £3bn data claim against Google
Now Experian is facing £34bn class action thunderbolt