The events giant faces a GDPR-related penalty in the U.K., and more could follow.
Ticketmaster’s UK division has been slapped with a $1.65 million fine by the Information Commissioner’s Office (ICO) in the UK, over its 2018 data breach that impacted 9.4 million customers.
The fine (£1.25million) has been levied after the ICO found that the company “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page” – a failure which violates the E.U.’s General Data Protection Regulation (GDPR).
In June 2018, the ticket-selling giant said that it found malware within a customer chat function for its websites, hosted by Inbenta Technologies. Worryingly, the malicious code was found to be accessing an array of information, including name, address, email address, telephone number, payment details and Ticketmaster login details. It later came to light that the attack was the work of the Magecart gang, known for injecting payment skimmers into vulnerable website components.
The malware managed to stay under the radar for months as well, Ticketmaster admitted at the time. The breach affected international customers who purchased, or attempted to purchase, event tickets between September 2017 and late June 2018; while UK users were impacted between February and June 2018.
U.S. customers were not affected.
The UK portion of the breach began in February 2018 when Monzo Bank customers reported fraudulent transactions, the ICO said.
“The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster,” according to the regulator’s announcement of the fine. “But the company failed to identify the problem.”
Thus, the ICO found that Ticketmaster not only failed to look into risks and appropriate security measures for the chatbot, but that it didn’t identify the issue in a timely manner.
The watchdog group also determined that the breach did in fact lead directly to widespread fraud.
“Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud,” according to the ICO. “Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.”
Although the UK portion of the breach began in February 2018, the penalty only relates to the issues starting in May 2018, when new rules under the GDPR came into effect.
Other Ticketmaster divisions were eventually found to be impacted by the Magecart attacks, which could lead to further GDPR fines.
Researchers at RiskIQ in 2018 uncovered evidence that the Inbenta attack was not a one-off, but instead indicative of a larger initiative involving successful breaches of many different third-party providers, including Inbenta, the SociaPlus social media integration firm, web analytics companies PushAssist and Annex Cloud, the Clarity Connect CMS platform and others.
RiskIQ also said that as a result, it found evidence the skimmer was active on a broader range of Ticketmaster websites than previously known, including Ticketmaster sites for Ireland, Turkey and New Zealand, among others.
“When customers handed over their personal details, they expected Ticketmaster to look after them,” said James Dipple-Johnstone, ICO deputy commissioner. “But they did not. Ticketmaster should have done more to reduce the risk of a cyberattack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.