Ticket sales and distribution company Ticketmaster has been fined by the UK Information Commissioner’s Office (ICO) for a breach that took place over the course of a few month in 2018.
According to a release from the ICO, the company will need to pay approximately $1.65 million for failing to properly safeguard its clients’ data.
The communications watchdog says Ticketmaster did not install “appropriate security measures” to prevent a cyberattack from happening in the first place.
Given that the breach was still happening after May 25 2018 and that it was uncovered and stopped before the UK left the EU, the data breach falls under the General Data Protection Regulation (GDPR), and the ICO treated it as such.
Ticketmaster deployed a third-party chatbot on its payment page, which was how cybercriminals managed to obtain customer data, the ICO’s investigation uncovered.
As the result of the data breach, names, payment card numbers, expiry dates and CVV numbers of approximately 9.4 million Europe-based Ticketmaster customers were exposed.
Some 60,000 Barclays Bank credit cards were subject to known fraud, as well as 6,000 cards from Monzo Bank, as a direct result of the breach.
“Ticketmaster should have done more to reduce the risk of a cyberattack. It’s failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud,” said James Dipple-Johnstone, Deputy Commissioner.
“The £1.25milllion fine we’ve issued today will send a message to other organizations that looking after their customers’ personal details safely should be at the top of their agenda.”
After being tipped off about potential fraud, it took Ticketmaster nine weeks to identify the vulnerability and eliminate it from its system.