On November 13th 2020, the ICO fined Ticketmaster £1.25 million for failing to keep its customers’ personal data secure. The breach has been identified as being caused by a third-party chatbot facility used on its payments page. This has been long-awaited following Ticketmaster’s data breach which started in February 2018 and continued for several months.
Ticketmaster did present a challenge to the ICO because, with the General Data Protection Regulation (GDPR) coming into force in May 2018, and the breach taking place between September 2017 and 23 June 2018, the violation spanned two different data protection acts. The ICO got around this problem by issuing a penalty which only relates to the breach from 25 May 2018, when new rules came into effect.
Of course, while data protection lawyers might find this decision of interest, for people who had had their data breached, it does not make much difference. Because while the ICO fine is substantial, none of this money will be given to victims of the data breach. What does matter is that because of the breach, millions of people in the UK and Europe were exposed to potential fraud. According to the ICO, 60,000 payment cards belonging to Barclays Bank customers were subjected to known fraud, and Monzo Bank replaced another 6,000 cards on suspicion of fraudulent use. This highlights how devastating a data breach can be – and that is before we consider the emotional implications. Indeed, following the hack, Ticketmaster received 997 complaints relating to financial loss and/or emotional distress.
The ICO’s investigation also identified that Ticketmaster’s response to the breach was ineffective. While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken exposing an estimated 1.5 million UK customer’s – details including bank information.
Crucially for any organisations seeking to blame a third-party for their data protection failures, the data protection watchdog also said that Ticketmaster was negligent to presume that Inbenta – the company that provided the software compromised in the attack – could provide an appropriate level of security for the processing of payment information.
The bottom line is that Ticketmaster should have done more to reduce the risk of a cyber-attack, and the fine should serve as a warning to other organisations that they will not get off lightly if they fail to protect their customers’ confidential details.
While this is a significant financial penalty, it should be noted that the ICO has to take the economic impact of the pandemic into consideration therefore, Ticketmaster’s fine today is significantly less than it would have been in ordinary circumstances.
Keller Lenkner UK is currently at an advanced stage of a High Court action against Ticketmaster on behalf of thousands of affected customers with the effects of the breach causing actual, and potential, financial harm, and distress.