Ticketmaster has been fined £1.25m for losing more than a million British customers’ payment card details in a data breach in 2018.
At the time the company admitted personal information and card details belonging to 40,000 customers were stolen by hackers, but the true impact has been revealed to be much higher by the Information Commissioner’s Office (ICO).
According to the ICO, the data breach – which included names, payment card numbers, expiry dates and CVV numbers – potentially affected 9.4m of the company’s customers, including 1.5m in the UK.
The data watchdog’s investigators found that 60,000 payments cards belonging to Barclays Bank customers were subjected to known fraud as a result of the breach, with another 6,000 replaced by Monzo Bank following suspected fraudulent use.
Ticketmaster failed to “assess the risks of using a chat-bot on its payment page, identify and implement appropriate security measures to negate the risks. [and] identify the source of suggested fraudulent activity in a timely manner” according to the ICO.
It took Ticketmaster nine weeks to identify the breach after the first reports of fraud, which came from Monzo Bank customers in February 2018.
Other card providers, including the Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster – but the company failed to identify the problem, said the ICO.
More than two months after the first report the company began monitoring the network traffic through its online payment page to discover that hackers were siphoning off customer details due to a vulnerability in the chat-bot system it was using.
The watchdog’s deputy commissioner James Dipple-Johnstone said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
“Ticketmaster should have done more to reduce the risk of a cyber-attack. It’s failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
“The £1.25m fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”