ICO fines Ticketmaster UK £1.25 million for 2018 data breach
Chris Lunn • November 22, 2020
The Information Commissioner’s Office has issued a fine of £1.25 million under the Data Protection Act 2018 to Ticketmaster UK for failing to prevent a data breach that affected nearly ten million customers across Europe, including 1.5 million in the UK.
In June 2018, Ticketmaster UK confirmed that it suffered a major breach of customer records that resulted in the loss of personal and financial information of around 5 percent of its customers to an unauthorised third party.
The breach took place after hackers installed a malicious code in a customer support product hosted by Inbenta Technologies, an external third-party supplier. Using the malicious skimming code, the hackers then skimmed names, addresses, email addresses, telephone numbers, payment details, and Ticketmaster login details of Ticketmaster UK customers.
The data breach affected Ticketmaster customers who purchased or attempted to purchase, tickets between February and June 23 2018, and international customers (except those in North America) who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018, on Ticketmaster UK’s website.
On Friday, the Information Commissioner’s Office issued a fine of £1.25 million to Ticketmaster UK, holding the company squarely responsible for failing to prevent an attacker from accessing customers’ financial details and thereby violating the General Data Protection Regulation (GDPR).
ICO noted that the company’s failure to appropriately secure a chat-bot installed on its online payment page allowed hackers to exfiltrate the personal and financial information of 9.4 million of Ticketmaster’s customers across Europe, including 1.5 million in the UK.
After exfiltrating payment card details from the company’s online payment page, hackers used those details to carry out a large number of fraudulent purchases, so much so that according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud.
Even though the breach began in February 2018 and the likes of Commonwealth Bank of Australia, Barclaycard, Mastercard, and American Express started reporting instances of fraud to Ticketmaster UK, it took the company nine weeks from being alerted to monitor the network traffic through its online payment page and identify the breach.
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud,”
said James Dipple-Johnstone, Deputy Commissioner of the ICO.
According to security firm RiskIQ, the cyber attack on Ticketmaster UK’s website was carried out by a hacker group known as Magecart. The group used a similar technique to exfiltrate the personal and payment information of around 380,000 people who made bookings and changes between August 21 and September 5, 2018, on British Airways’ website and mobile application.
In October this year, British Airways was also fined £20 million by the ICO for failing to prevent hackers from exfiltrating the personal data of approximately 429,612 customers and staff, including payment card numbers and CVV numbers of 244,000 BA customers.
The incident, for which British Airways attracted the massive fine, involved hackers using 22 lines of script to modify a large number of scripts on the British Airways’ website and then exploiting the modifications to extract information from payment forms and transfer such information to their own server.
The hackers planted data skimming code on the British Airways website and between August 21 and September 5 2018, exfiltrated names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers. The hackers also stole usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts.
According to the Information Commissioner’s Office, British Airways could have prevented the breach of data belonging to customers and staff by limiting access to applications, data, and tools, undertaking rigorous testing in the form of simulating a cyber-attack on the business’ systems, and protecting employee and third party accounts with multi-factor authentication.
ICO noted that British Airways did not detect the data exfiltration from its website for more than two months after the attack began on 22nd June 2018. It was only after a third party alerted the airline about the cyberattack that it acted promptly and notified the ICO.
Join Our Mailing List
All sign-ups are handled inline with our privacy policy and can unsubscribe at any time.
Recent Blogs
Avoid the risks of using Office 365 Home at work. Learn why Office 365 for business is the right choice for security, scalability, and compliance.
Discover the key benefits of outsourced IT support, from enhanced cybersecurity and 24/7 monitoring to cost savings and regulatory compliance.
Stay cyber secure while travelling with 10 expert tips. Use VPNs, avoid public Wi-Fi, and protect your data on the go.
In a world where AI is changing how we work and compete, security is more important than ever. We are gathering industry leaders and AI experts for a special roundtable event. This event will focus on a key topic: AI security.
Microsoft 365 Business Basic offers a range of cloud-based services designed to empower businesses to work smarter and more efficiently. Let's delve into what this package includes and how it can benefit your organisation.
We’re excited to announce an informative webinar featuring Elliot Wilkie from Brigantia and Craig Atkins from 1-Fix, diving deep into the world of DMARC on 8th July at 2 PM . This is an essential session for anyone looking to secure their email communications, understand DMARC compliance, and enhance their email deliverability.
