Ticket sales and distribution company Ticketmaster UK has received a £1.25 million fine from the ICO over a payment data breach.
The Information Commissioner's Office (ICO) issued the fine in relation to a 2018 cyber attack on the Ticketmaster website that resulted to a payment data breach. According to the ICO, the attack resulted to the potential theft of personal information and payment details of over nine million customers in Europe.
Results of probe into the cyber attack
Investigators discovered a vulnerability in a third-party chatbot created by Inbenta Technologies, which Ticketmaster used on its online payments page. They found that the attacker was able to access the customers' payment details by using the chatbot.
The breach caused 60,000 cases of fraud that affected Barclays bank customers and forced online bank Monzo to 6,000 payment cards because of fraud.
According to the ICO, Ticketmaster received warnings of suspected fraud from Monzo, the Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express but it took nine weeks before the company initiated monitoring payment activities.
ICO deputy commissioner James Dipple-Johnstone said: "Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud."
In response to the fine, Ticketmaster said it would appeal the ICO decision.
The company released a statement saying: "Ticketmaster takes fans' data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today's announcement."
Meanwhile, law firm Keller Lenkner will be representing thousands of fraud victims and pursue legal action against Ticketmaster.
Kingsley Hayes, head of cybercrime at Keller Lenkner, said: "While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers."
Recent fines imposed by ICO due to data breaches
Earlier this month, Marriott Hotels was fined £18.4 million by the ICO for a major data breach that affected 339 million guests. The cyber attack on Mariott Hotels, which occurred in 2014, led to a data breach that compromised the names, contact information, and passport details of the hotel chain’s guests.
The first part of the cyberattack occurred in 2014 at the Starwood Hotels group, two years prior to its acquisition by Marriott.
However, until 2018 when the breach was discovered, the attacker was able to access all affected systems, including names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty program numbers.
In mid-October the ICO fined British Airways £20 million for a data breach that affected over 400,000 customers.
The ICO fine was for a 2018 breach that affected both personal and credit card data of British Airways customers. The £20 million fine is significantly lower than the £183 million the ICO originally proposed in 2019.
According to the ICO, the fine was smaller because "the economic impact of Covid-19" had been taken into account. Despite the significant decrease in the amount, it is still the largest penalty issued by the ICO to date.
During the same month, school payments service provider WisePay reported that its website has fallen victim to a cyber attack between October 2 and October 5.
The cyber attack involved creating a spoof page, which allowed the attacker to gather the payment details of parents who made payments using WisePay to UK schools during that period. According to the firm, the attack affected attempted payments to about 300 schools.
