Is Ticketmaster really not to blame for its 2018 data breach?

Cybercrime criminal at computer
Share on facebook
Share on twitter
Share on linkedin

At Keller Lenkner UK, we have issued a claim for damages against ticketing giant Ticketmaster following its 2018 data breach. This is the first high profile action to be launched on behalf of multiple claimants in the UK since GDPR came into force. Keller Lenkner UK is the only law firm actively litigating this case in the UK.

But, to date, Ticketmaster is refusing to accept any blame for the breach. Instead, Ticketmaster claims that all responsibility for the data breach rests with Inbenta – a software provider that supplied Ticketmaster with chatbot software. It is this software that was compromised in the data breach incident.

Lawyers for Ticketmaster said that the business:  “is of the belief that it is not responsible for the Potential Security Incident”. That’s despite the fact that it was Ticketmaster that put the third-party JavaScript on a payment page.

What actually happened in the Ticketmaster data breach?

Malicious hacking group Magecart gained access to thousands of Ticketmaster’s customer payment details via a “customer support product hosted by Inbenta Technologies”. The malware used compromises webpage elements – typically JavaScript – to gain access to customer payment card and other sensitive details.

However, Inbenta has refuted that it is responsible, stating that: “Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code… Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it.”

Is Ticketmaster right?

Our data protection experts don’t think so. In fact, we strongly disagree with this defence and are currently collating evidence to prove that Ticketmaster was liable for the breach.  

In addition, according to RiskIQ, Ticketmaster also used SocialPlus – another company allegedly compromised by Magecart. So, while Inbenta has been established as the entry point for the malicious attack on its systems, at least one other source containing the skimmer had access to Ticketmaster’s websites. This indicates a failure in security at Ticketmaster.

Indeed, where a third-party has been involved in a breach, this does not mean the company that collected your data is not to blame. It is their responsibility to put adequate checks and processes in place to secure vendor access. So, implicating Inbenta as the bad actor is legally neither here nor there.

In our expert opinion, having seen the evidence supplied by Inbenta, we are confident Ticketmaster is guilty of severe data protection failures, and that it will be made to compensate victims.

Ticketmaster data breach group action


At Keller Lenkner UK, we are registering people who are interested in making a compensation claim following the Ticketmaster data breach.

Our first group action is ready to be heard in the High Court. But, because of the number of people affected by the Ticketmaster security breach, we are now registering people who want to join a second wave of claimants. If you join this second group, we will progress your claim once our first group action has been decided in court.

Crucially, you do not need to have suffered any financial loss or emotional distress to make a claim. If you have suffered a privacy violation caused by Ticketmaster’s breach of the Data Protection Act, you have a right to claim compensation.

Contact Keller Lenkner UK’s expert data breach lawyers to discuss the Ticketmaster data breach.

Share this article:

Share on facebook
Share on twitter
Share on linkedin