A cyber incident suffered by Ticketmaster in 2018 resulted in the Information Commissioner’s Office (ICO) penalizing the company with a whopping £1.2 million in fines, said Silicon UK. The data privacy watchdog is known for going after firms that experienced breaches.
In the case of Ticketmaster UK Limited, the ICO said that the fine is “for failing to keep its customers’ personal data secure.”
Moreover, the agency found that the firm “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot install on its online payment page.” This is deemed as a violation of the General Data Protection Regulation (GDPR).
The Ticketmaster breach covers a lot of sensitive customer information including names, payment card numbers, CVV numbers, and expiry dates. Around 9.4 million European customers were affected, 1.4 million of whom reside in the UK.
Click Lancashire reported that the watchdog discovered 66,000 cases of fraud or suspected fraud due to the incident.
While the scope and depth of the breach encompass millions, the ICO’s decision to fine the company is based on its failure to assess the risks of implementing a chat-bot on its payment page.
The firm also failed to determine and deploy security measures to address possible risks. Moreover, the company failed to promptly find the source of potential fraudulent activities.
ICO deputy commissioner James Dipple-Johnstone said, “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.”
Additionally, the agency believes that “Ticketmaster should have done more to reduce the risk of a cyber-attack” and “failure to do so meant that millions of people in the UK and Europe were exposed to a potential fraud.”
Ticketmaster is just one of the companies punished by the ICO for compromising its customers’ data. This year, Marriott was also fined by the watchdog to the tune of £18.4 million, originally supposed to be £99 million.
Dipple-Johnstone said that such fines similar to Ticketmaster’s “will send a message to other organizations that looking after their customers’ personal details safely should be at the top of their agenda.”
Meanwhile, Ticketmaster is planning to appeal to ICO. According to the company, it cooperated fully with the agency. However, it took nine weeks for it to address the breach.
Click Lancashire said that the culprit chat-bot has been removed from the payment page in June 2018 after the breach on May 25, 2018.