Ticketmaster Fined Due to Insecure Website and a Massive Data Breach
Table of Contents
- By Dawna M. Roberts
- Published: Nov 17, 2020
- Last Updated: Mar 18, 2022
Ticketmaster, the leading seller of sports, music, and artistic show tickets were fined #1.7 million by the British Information Commissioner’s Office over serious violations of EU’s General Data Protection Regulations.
What Happened
On November 13, the Information Commissioner’s Office (ICO) announced that they had fined Ticketmaster UK Limited for failure to secure its website appropriately, allowing hackers to target a third-party chat-bot and steal credit card data from customers as they processed payments.
The ICO cited this as a breach of the EU General Data Protection Regulation (GDPR).
According to the ICO, the data breach included: “names, payment card numbers, expiry dates, and CVV numbers, potentially affected 9.4million of Ticketmaster’s customers across Europe including 1.5million in the UK.”
The actual data breach occurred in February 2018. Along with British customers, the data breach also affected customers in New Zealand and Australia. Threat researchers have identified the hacker group as Magecart, a notorious cybercriminal gang linked to numerous other data breaches in which payment details were stolen.
The breach was initially discovered when Monzo Bank customers reported fraud on their accounts. Additionally, Barclaycard, Mastercard, and American Express customers all filed complaints with Ticketmaster, but the company failed to take action, and this fine is the result.
What the ICO Says
In their report, they also noted that “Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Monzo Bank replaced another 6,000 cards after it suspected fraudulent use.”
Ticketmaster is also admonished for not spotting the issue for nine long weeks while millions of people were left open to fraud and identity theft.
The ICO called out three items that resulted in the fine; they were:
- “Assess the risks of using a chat-bot on its payment page.
- Identify and implement appropriate security measures to negate the risks.
- Identify the source of suggested fraudulent activity in a timely manner.”
ICO’s Deputy Commissioner was quoted as saying:
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.”
“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”
“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
The ICO also reported that “The breach occurred before the UK left the EU, therefore the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.”
It’s not quite as simple as it appears. In the ICO’s 73-page report on the issue, they mention several opportunities where Ticketmaster failed to notice or remedy the situation, including Monzo bank providing the ticket retailer with detailed proof linking fraud back to the Ticketmaster website.
By April 2018, Monzo had to replace 6,000 payment cards affected by the Ticketmaster data breach. Other card companies also reported similar findings to Ticketmaster without them doing anything about it. By early May, Ticketmaster finally hired cybersecurity firms to examine the data, but they focused only on Australian fraud reports. About three weeks later, Ticketmaster finally acknowledged the data breach and took down the chat-bot from all their affiliated websites.
How Ticketmaster Responded
The actual breach began in February of 2018 and was discovered in May 2018. On June 23, 2018, Ticketmaster removed the infected chat-bot. The chat-bot was developed by Inbenta Technologies and was written in JavaScript. At the time of the breach, Ticketmaster was quoted as saying, “As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites.”
To deflect the blame from themselves, Ibenta said that Ticketmaster should never have used the custom JavaScript chat-bot on a payment page. Inbenta’s CEO Jordi Torras said, “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”
Ticketmaster responded with, “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today’s announcement.”
Ticketmaster UK is owned by Live Nation Entertainment out of Beverly Hills, California.
It will be interesting to see what, if anything, comes from the appeal.
