Photo Credit: Claudio Schwarz
A massive Ticketmaster hack in the UK has resulted in a fine of $1.7 million for violations of the EU’s GDPR laws.
Regulators say Ticketmaster UK failed to secure its website chatbot on the payments page. Attackers then subverted the chatbot, allowing them to steal payment info from unsuspecting concert goers. After being alerted to the fraud traced to its site, Ticketmaster UK did not address the problem for nine more weeks.
In the wake of that incident, the Information Commissioner’s Office (ICO) in Britain announced the fine of 1.25 million pounds ($1.7MM). The ICO is responsible for enforcing the General Data Protection Regulation (GDPR) in the UK. Ticketmaster UK says it plans to appeal the ruling.
ICO launched its investigation in June 2018 and said Ticketmaster was fined for its security failures after May 2018.
The ICO says its investigation was concluded in the UK before it left the EU. It served as the supervisory authority for the EU, and the fine “represents a consensus decision by all data protection authorities across Europe.” The breach the ICO investigated started back in February 2018.
The hackers were able to access personal details, including names, payment card details, expiration dates, and full CVV numbers of 9.4 million European Ticketmaster customers. The data breach impacted 1.5 million UK customers.
Beyond that, at least 60,000 Barclays Bank cards were tied to fraud from the Ticketmaster UK data breach. Monzo Bank replaced around 6,000 bank cards after it detected signs of fraudulent use. Some compromised accounts were also outside the UK in other commonwealth countries – namely in Australia and New Zealand. Security experts say a group known as Magecart was able to inject code on Ticketmaster’s website to collect payment information.
Regulators believe Ticketmaster’s failure to secure the JavaScript chat software violated GDPR. Even after Ticketmaster UK was notified of the breach, it failed to respond in a timely manner.
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” James Dipple-Johnstone, the ICO’s Deputy Commissioner, says. “Ticketmaster should have done more to reduce the risk. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”
Ticketmaster UK has not responded to the fine, but it did provide written statements to the ICO. In that statement, Ticketmaster blames the data breach on a third-party contractor and says it plans to appeal against the fine. Inbenta Technologies, the third-party Ticketmaster UK blames, says Ticketmaster should have never implemented its software on a secure payment page.
“Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability,” Inbenta Technologies CEO Jordi Torras said of the case.