The ticketing website Ticketmaster UK has been fined £1.25m by the Information Commissioner’s Office (ICO) for a data protection offence. The ICO found that the company failed to have appropriate security measures to prevent a cyber-attack on a chat-bot installed on its online payment page. That failure to protect customer information is a breach of the General Data Protection Regulation (GDPR), the European Union-wide rules that came into force across the EU (including the UK) in May 2018.
The data breach, which included names, payment card numbers, expiry dates and CVV numbers, and Ticketmaster user-names and passwords, potentially affected 9.4m of Ticketmaster’s customers across Europe including 1.5m in the UK. They were notified by the online retailer by email on June 27-28 as they had bought tickets or tried to, from the February.
The ICO – looking into the case on behalf of counterpart regulators across the EU – found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.
James Dipple-Johnstone, Deputy Commissioner said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25m fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
The breach began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the company failed to identify the problem. On or around May 5, it hired four forensics firms.
It took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page. The ICO found that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details.
Although the breach began in February 2018, the penalty only relates to the breach from May 25, 2018, when the GDPR came into effect. The chat-bot (‘customer support product’) – hosted by a third-party supplier, Inbenta Technologies Inc – was completely removed from Ticketmaster’s website on June 23, 2018. Malicious code enabled in the product had allowed an attacker to export customers’ data.
As Ticketmaster told the ICO, companies that contract with software suppliers, ‘the contracting company rarely has visibility into the changes made to third-party scripts served from the third party vendor’s own servers’. Although Ticketmaster contended otherwise, the ICO found that the firm was subject to PCI-DSS (Payment Card Industry data security standard) requirements. Ticketmaster argued that it was entitled to rely on Inbenta to provide a safe chat bot. Ticketmaster was unable to show that it had carried out a formal risk assessment of the chat bot on its payment page.
The ICO found that Ticketmaster – parent company; Live Nation Entertainment – failed to:
– Assess the risks of using a chat-bot on its payment page;
– Identify and bring in appropriate security measures to negate the risks; and
– Identify the source of suggested fraudulent activity in a timely manner.
For the ICO findings in detail visit the ICO website.
Comments
Miles Tappin, VP of EMEA at cyber intelligence product firm ThreatConnect said that organisations must learn. “Not doing the basics leaves the door open for cybercriminals. Organisations must understand the importance of fostering a culture of security to make better decisions and mitigate increasingly sophisticated and complex cyber threats. It’s vital that organisations begin to quantify the risks available to them, asking themselves how likely am I going to get attacked and how damaging will it be to their overall infrastructure. Organisations will then be able to prioritise how best to protect their customers, helping security teams focus on the most important tasks at hand.
“Coupling risk quantification with intelligence sharing will guarantee a united and streamlined approach to protecting customers. The more information organisations are able to discover, the better their data driven decision making process becomes – in turn minimising organisational risks. With continuous insight, there is no doubt that threats can be mitigated as organisations collect the data, connect the dots, and understand the true nature of the threats they face.”
