ICO fines Ticketmaster UK Limited 1.39 million Euros under the GDPR, for failing to prevent chatbot cyber attack.
The ICO has fined Ticketmaster UK in relation to a recent data breach which potentially affected over 9 million customers across the EU. This data breach was orchestrated via a chatbot which the company installed on its online payment page. The company’s failure to protect their customers’ information is a breach of the GDPR.
In February 2018, several Monzo bank customers reported fraudulent transactions. In addition, the Commonwealth Bank of Australia, Barclaycard, MasterCard and American Express all made reports to the company suggesting fraud. Nine weeks after being alerted, Ticketmaster began monitoring network traffic via its online payment page. The breach began in February 2018, however the penalty which ensued relates to the breach over the period from May 25, 2018, upon the implementation of the new rules under the GDPR.
This data breach potentially affected millions of customers as their payment information became compromised.
The data breach in question included names, payment card numbers, expiry dates and CVV numbers, potentially affecting 9.4 million of Ticketmaster’s customers across Europe with approximately 1.5 million in the UK. The investigations uncovered that, as a result of the breach, 60,000 payment cards from Barclays Bank customers were subjected to known fraud. An additional 6,000 cards were replaced by Monzo by the bank due to suspected fraudulent use.
The ICO found that there weren’t adequate security measures in place to protect customers’ data.
The ICO’s investigation revealed that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details. Deputy Commissioner, James Dipple-Johnstone said “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.” The ICO found that Ticketmaster failed to assess the risks of using a chat-bot on its payment page, to identify and implement appropriate security measures to avoid the risks, and to identify the source of suggested fraudulent activity in a timely manner. The ICO issued Ticketmaster UK Limited with a notice of intent to fine on 7 February 2020, and received written representations in response.
The ICO fines Ticketmaster UK under the GDPR on behalf of all EU authorities, taking into account the impact of the COVID-19 pandemic.
Since the breach happened before the UK left the EU, the ICO acted as the lead supervisory authority. The ICO completed the Article 60 GDPR process prior to the issuing of the penalty. This article provides that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. The process included submitting a draft decision to the other supervisory authorities for their opinion and taking their views into consideration.When deciding on a fine, the ICO considered not only affordability, but the economic impact of COVID-19 among other factors.
The ICO statement is available in their website.