Ticketmaster Fined Due to Insecure Website and a Massive Data Breach

  • By Dawna M. Roberts
  • Nov 17, 2020

Ticketmaster, the leading seller of sports, music, and artistic show tickets were fined #1.7 million by the British Information Commissioner’s Office over serious violations of EU’s General Data Protection Regulations. 

What Happened

On November 13, the Information Commissioner’s Office (ICO) announced that they had fined Ticketmaster UK Limited for failure to secure its website appropriately, allowing hackers to target a third-party chat-bot and steal credit card data from customers as they processed payments. 

The ICO cited this as a breach of the EU General Data Protection Regulation (GDPR).

According to the ICO, the data breach included: “names, payment card numbers, expiry dates, and CVV numbers, potentially affected 9.4million of Ticketmaster’s customers across Europe including 1.5million in the UK.”

The actual data breach occurred in February 2018. Along with British customers, the data breach also affected customers in New Zealand and Australia. Threat researchers have identified the hacker group as Magecart, a notorious cybercriminal gang linked to numerous other data breaches in which payment details were stolen. 

The breach was initially discovered when Monzo Bank customers reported fraud on their accounts. Additionally, Barclaycard, Mastercard, and American Express customers all filed complaints with Ticketmaster, but the company failed to take action, and this fine is the result. 

What the ICO Says

In their report, they also noted that “Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Monzo Bank replaced another 6,000 cards after it suspected fraudulent use.”

Ticketmaster is also admonished for not spotting the issue for nine long weeks while millions of people were left open to fraud and identity theft. 

The ICO called out three items that resulted in the fine; they were:

  • “Assess the risks of using a chat-bot on its payment page.
  • Identify and implement appropriate security measures to negate the risks.
  • Identify the source of suggested fraudulent activity in a timely manner.”

ICO’s Deputy Commissioner was quoted as saying: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.”

“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”

“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The ICO also reported that “The breach occurred before the UK left the EU, therefore the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.”

It’s not quite as simple as it appears. In the ICO’s 73-page report on the issue, they mention several opportunities where Ticketmaster failed to notice or remedy the situation, including Monzo bank providing the ticket retailer with detailed proof linking fraud back to the Ticketmaster website. 

By April 2018, Monzo had to replace 6,000 payment cards affected by the Ticketmaster data breach. Other card companies also reported similar findings to Ticketmaster without them doing anything about it. By early May, Ticketmaster finally hired cybersecurity firms to examine the data, but they focused only on Australian fraud reports. About three weeks later, Ticketmaster finally acknowledged the data breach and took down the chat-bot from all their affiliated websites.  

How Ticketmaster Responded

The actual breach began in February of 2018 and was discovered in May 2018. On June 23, 2018, Ticketmaster removed the infected chat-bot. The chat-bot was developed by Inbenta Technologies and was written in JavaScript. At the time of the breach, Ticketmaster was quoted as saying, “As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites.” 

To deflect the blame from themselves, Ibenta said that Ticketmaster should never have used the custom JavaScript chat-bot on a payment page. Inbenta’s CEO Jordi Torras said, “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

Ticketmaster responded with, “Ticketmaster takes fans’ data privacy and trust very seriously.  Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today’s announcement.”

Ticketmaster UK is owned by Live Nation Entertainment out of Beverly Hills, California. 

It will be interesting to see what, if anything, comes from the appeal. 

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

What is an Incident Response?

What is an Incident Response?

What is an Incident Response? After a bank heist, the work begins with specialized teams and plans engaged, allowing for analysis of the event, and from this analysis, the bank can prepare a response to the incident.

What is a Social Engineering Attack? Techniques and Ways to Prevent

What is a Social Engineering Attack? Techniques and Ways to Prevent

Everyone has received a spam text or email at some point. Their hallmarks are widely known; they often include poor or strange grammar, suspicious links, suggested connections with companies or people, or random individuals asking for help in some capacity.

Side Channel Attack: Everything You Need To Know

Side Channel Attack: Everything You Need To Know

Every year, millions of people get victimized by data breaches. Criminals steal their data from the network environments of organizations, vendors, providers, institutions, and governments; with ever-increasing frequency, cybercriminals are making big moves in the cyber wars—and making billions of dollars. 

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Close
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close