Ticketmaster UK said it plans to launch an appeal after the Information Commissioner’s Office (ICO) fined it £1.25 million for failing to protect customers’ payment details.
The fine follows a cyber-attack on the Live Nation-owned company’s website in 2018, which the ICO said potentially affected 9.4million of Ticketmaster’s customers across Europe including 1.5million in the UK.
It said Ticketmaster had failed to put appropriate security measures in place to prevent the cyber-attack on a chat-bot installed on its online payment page.
The data breach included names, payment card numbers, expiry dates and CVV numbers of Ticketmaster customers
Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.
The breach began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster.
The ICO said Ticketmaster failed to identify the problem and it took the company nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.
The chat-bot was removed from Ticketmaster UK’s website on 23 June 2018.
The penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.
A Ticketmaster spokesperson said, “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal the announcement.”
ICO deputy commissioner and chief regulatory office James Dipple-Johnstone said, “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”