Ticketmaster ignored data breach warnings

unlocked padlock on computer components
Share on facebook
Share on twitter
Share on linkedin

On 27th June 2018, Ticketmaster notified customers that malware had infected one of its systems and that their personal data could be at risk. The hack, which affected thousands of people in the UK, compromised customer names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details. All of these can be used by cybercriminals to commit further crimes.

While Ticketmaster reported the issue to the Information Commissioner’s Office (ICO), which it is required to do by law, we now know that the company was alerted to the breach in early April 2018, but failed to do anything about it.

Fast forward to October 2020, and the ICO has come down strong on British Airways and Marriott International for failing to ensure the security necessary to protect confidential customer information, with respective fines of £20 million and £18.4 million for their high-profile data breaches. With the ICO’s penalty announcement on the Ticketmaster data breach now imminent, the failure to respond to warnings is bound to be taken into consideration by the data protection regulator.

Who warned Ticketmaster about the data breach?

Malicious hacking group Magecart gained access to thousands of Ticketmaster’s customer payment details via a “customer support product hosted by Inbenta Technologies”. The malware used compromises webpage elements – typically JavaScript – to gain access to customer payment card and other sensitive details.

However, Inbenta has refuted that it is responsible, stating that: “Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code… Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it.”

Is Ticketmaster right?

According to online bank Monzo, it warned Ticketmaster that something strange was going on two months before the business revealed its payment pages had been hacked. But, in responding to the bank’s concerns, Ticketmaster said: “an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”

Monzo reported that many customers were the victim of theft, with their cards used on money transfer service Xendpay, Uber gift cards and Netflix (amongst others). And Monzo believed that Ticketmaster was the link between these fraudulent transactions.

Ticketmaster maintained that: “When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf. In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.”

Ticketmaster still does not believe it is to blame

Continuing to defend its actions, Ticketmaster blamed third-party supplier Inbenta for the security breach. And the failure did happen after an Inbenta chatbot was infected with malicious software while having access to the Ticketmaster website.

However, Inbenta swiftly put the blame back with Ticketmaster. It claimed the ticketing giant placed JavaScript on payment pages, without Inbenta’s knowledge. It was this script that was abused by hackers. In a statement, Inbenta said: “Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability.”

What is happening now?

With the ICO investigation reaching its conclusion, Ticketmaster will undoubtedly be held to account for this appalling data protection failure. And, in addition to the initial negligence, Ticketmaster will no doubt be penalised further if the ICO believes that it failed to identify the breach – despite the warnings.

However, the ICO took the financial impact of COVID-19 into account when setting the British Airways and Marriott International fines and reduced them significantly. So, it is quite possible that Ticketmaster’s penalty will be far less than previously expected.

What can you do to claim data breach compensation?


The data breach affects Ticketmaster, TicketWeb, and the resale website Get Me In! UK customers who purchased, or attempted to buy, tickets between February 2018 and 23rd June 2018 may be affected. Following the data breach, Ticketmaster emailed those involved informing them that their data was at risk.

At Keller Lenkner UK, we believe that the cybercriminals who accessed this data may have already used it to carry out fraud (or have sold it to other criminals with nefarious purposes). Many of our clients have experienced multiple fraudulent transactions on their payment cards, while several have suffered psychological trauma relating to the breach. As such, more must be done to hold Ticketmaster to account.

Signs that criminals have used your data following the Ticketmaster security breach include:

  • bills or emails showing goods or services you have not ordered
  • unfamiliar transactions from your account
  • an unexpected dip in your credit score
  • an increase in spam and unsolicited communications
  • phishing attempts that ask for your personal data or refer you to a web page asking for personal data.

Our specialist data protection lawyers urge anyone affected by the Ticketmaster hack to start a data protection compensation claim if they have not already done so.  It does not matter if there is no evidence that your data has been used to carry out identity theft or fraud. If the data breach has caused you stress or anxiety, then the law states that you are entitled to compensation.

Contact Keller Lenkner UK’s expert data breach lawyers to discuss the Ticketmaster data breach.

Share this article:

Share on facebook
Share on twitter
Share on linkedin