Ticketmaster data breach: putting GDPR to the test

Share on facebook
Share on twitter
Share on linkedin

The Ticketmaster data breach saw cybercriminals get away with the personal and financial information of up to 40,000 people. And, in addition to causing loss and distress to these victims, the hack is also putting the UK’s data protection regulations to the test.

Unless you have been living under a rock, you will have heard about the General Data Protection Regulations (GDPR). Introduced on 25th May 2018, GDPR is having a significant impact on the way companies handle your valuable data – with enormous fines for those that don’t look after it properly.

For example, in October 2020, British Airways was fined £20 million after a series of data protection failures at the airline. So, it looks like the ICO is willing to hold companies to account.

Nevertheless, the Ticketmaster data breach is presenting a different kind of challenge to the ICO, and that’s because of when this breach took place.

What happened in the Ticketmaster data breach?

Ticketmaster was affected by a substantial data protection breach after cybercriminals hacked the company’s website. Different customers had different data stolen including:

  • Financial information stolen and used. There are reports that customers of Ticketmaster have been the victims of theft, with their cards used on money transfer service Xendpay, Uber gift cards and Netflix (among others).
  • Financial information stolen. Many of those affected by the Ticketmaster data breach have had their financial details stolen but not used (at least not yet). But that doesn’t mean these people are safe as stolen data is often used/put up for sale in batches over time. Crucially, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.
  • Email address stolen. If your email account has been hacked the consequences could be devastating. And it doesn’t matter if there is no evidence of your data being used. If the distress of having your data in the hands of cybercriminals has caused you suffering, you can make a claim.
  • Other personal information stolen. Along with the financial info and email addresses stolen, the Ticketmaster hackers also gained access to personally identifiable information (PII). PII includes any data that can be used to identify a specific individual, and, if it gets into the wrong hands, it can be used to undertake identity fraud. Anyone who has had their personal data stolen could be looking at compensation.

Ticketmaster data breach and GDPR

The Ticketmaster data breach affects up to 40,000 people who bought tickets between September 2017 and 23 June 2018. With the GDPR coming into force on May 25th 2018, this means that the breach spans two different data protection acts:

  • The Data Protection Act (DPA) 1998
  • The Data Protection Act (DPA) 2018 (the UK’s version of the GDPR).

These acts have drastically different level of fines. The first up to a maximum of £500,000 and the second up to £17 million (or 4% of an organisation’s annual turnover, whichever is higher).

It is not yet clear which legislation is relevant, but the breach could be judged under both. Alternatively, the entire data protection failure could be treated as a breach under GDPR as it kept happening after the new laws came into force. If GDPR is used, the Ticketmaster data breach fine could be significant.

What does this mean for you?


In truth, while data protection lawyers are eagerly waiting to see what legislation applies, for people who had had their data breached it doesn’t make much difference. Mainly because, while the ICO can impose a fine on a company, this isn’t given to victims of the data breach. The only way for you to hold Ticketmaster to account is to make a data breach compensation claim.

At Keller Lenkner UK, we have launched a multi-claimant against Ticketmaster. Multi-claimant actions can be a powerful tool and can have a bigger impact than a single claim.

Keller Lenkner UK is the only law firm actively litigating this case in the UK at the time of this fine.

Our first multi-claimant action is already well underway. But, because of the number of people affected by the Ticketmaster data breach, we are now registering people who are interested in the outcome of our initial action, and who might want to progress a further claim against Ticketmaster.


Contact Keller Lenkner UK’s expert data breach lawyers to discuss the Ticketmaster data breach.

Share this article:

Share on facebook
Share on twitter
Share on linkedin