Ticketmaster has been fined £ 1.25 million by the Information Commissioner’s Office (ICO) for failing to protect customer data from cyber attackers.
A data breach that began in February 2018 was uncovered when Monzo Bank customers reported fraudulent transactions.
Affected websites are Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb.
The fine follows an ICO investigation that found that a chatbot on the company’s online payments page was violating the General Data Protection Regulation (GDPR).
“The investigation found that Ticketmaster’s decision to add the third-party hosted chatbot to its online payments page allowed an attacker to gain access to customers’ financial information,” the ICO said.
The names and card details of 9.4 million Ticketmaster customers across Europe, including 1.5 million in the UK, may have been disclosed.
Financial services companies affected included Commonwealth Bank of Australia, Barclays Bank, Monzo, Mastercard and American Express, all of whom reported potential fraud to Ticketmaster. “But the company couldn’t identify the problem,” said the ICO.
The ICO found that as a result, 60,000 payment cards from Barclays Bank customers were exposed to known fraud. Meanwhile, Monzo Bank replaced 6,000 cards after suspecting fraudulent use.
James Dipple-Johnstone, Assistant Commissioner for Information, said: “When customers submitted their personal information, they expected Ticketmaster to take care of them. But they didn’t.
“Ticketmaster should have done more to reduce the risk of a cyber attack. Failure to do so resulted in millions of people in the UK and Europe facing potential fraud. “
Dipple-Johnstone said the fine was a message to other organizations that keeping customers safe and secure should be a top priority.
The ICO said Ticketmaster had not assessed the risks of using a chatbot on its payment page, failed to identify and implement appropriate security measures to negate the risks, and failed to timely identify the source of the proposed fraudulent activity.
“It took a total of nine weeks until Ticketmaster was informed about possible fraud cases and the network traffic was monitored via the online payment page,” said the ICO.