On 13th November 2020, the UK Information Commissioner fined Ticketmaster £1.25 Million for a personal data breach involving skimming credit card data from its website.The fine related to the period from 25th May 2018 to 23rd June 2018. The fine would have been £1.5 Million (1.48% of Ticketmaster’s turnover), but was reduced as a consequence of the Commissioner’s Covid-19 related regulatory action policy changes. Ticketmaster notified 9.4 Million data subjects in the EEA that they could be affected by the incident. Card details of 66,000 individuals were compromised in the incident.
Commissioner rejected arguments that only malicious actors and a third party supplier should be held responsible for the breach; Ticketmaster should have taken further steps to mitigate the risk posed by use of third party scripts on webpages where personal data – especially card data – was processed
Ticketmaster made use of a chatbot on its website, hosted by a third party, Inbenta. The chatbot was included on various pages on its website – including payment pages. The breach was attributable to malicious code in the chatbot, which captured all details entered by customers on the payment pages, including payment card information and username and password.
The Information Commissioner found that Ticketmaster should have taken measures to negate the risk that third party scripts could infect the chatbot. She rejected Ticketmaster’s arguments that the breach should be attributable entirely to the actions of malicious actors, or of Inbenta, and that Ticketmaster itself was not to blame. Instead, the Commissioner cited guidance from ENISA, the NCSC and other literature, which she said showed that the risk posed by including third party scripts on payment pages was well known. Mitigating actions which Ticketmaster could have taken would have been local hosting of the chatbot, using content security policies or use of iFrames. The Commissioner stated that Ticketmaster should have carried out a risk assessment whenever it implemented third party scripts on a web page where personal data was processed.
Ticketmaster assessed Inbenta, as part of its third party supplier assessment programme, in 2013 and 2018. The Commissioner stated that this interval was too extended. She also concluded that Ticketmaster failed to comply with PCI-DSS – even though the chatbot wasn’t intended to process card data, it was connected to the cardholder environment and therefore should have met PCI-DSS requirements, which would have resulted in stricter risk assessments of Inbenta and annual compliance check.
The way the incident was handled contributed to the nature and gravity of incident, which is a material factor in determining the penalty. The Commissioner did not rely on arguments that Ticketmaster was late in notifying the incident
Ticketmaster identified (and disabled) the malicious code responsible for the breach on 23rd June 2018. However, there was some evidence that its site had been affected since February 2018. Monzo notified Ticketmaster of fraudulent transactions associated with its site in April 2018. There were further notifications of fraud in April from Barclaycard, Mastercard and Amex. Visa notified Ticketmaster of large volumes of fraud in May 2018 and a user tweeted an alert to Ticketmaster in May, specifically notifying Ticketmaster that its chatbot appeared to be infected.
Ticketmaster only set up an incident response team in May. Its terms of reference were only to look at Microsoft Windows systems and payment systems in the UK/ Europe were not in scope. As a result it did not identify any malicious code. Ticketmaster did not carry out any passive monitoring on its payment page until 23rd June 2018, when the incident was detected.
In her Preliminary Enforcement Notice, the Commissioner had originally also stated that Ticketmaster breached Art.33 GDPR, that is, that it was late in notifying the Commissioner of the incident. Ticketmaster argued that it only had confirmation of the incident on 22nd June (when Barclaycard notified it of 37,000 instances of fraud) and that, accordingly, it was not late. In the final Enforcement Notice, the Commissioner does not argue that Ticketmaster was late in notifying (she expresses no view on this either way).
ICO noted that Ticketmaster had set up a dedicated website, had offered 12 months credit monitoring and had instituted forced password resets. However, the monetary penalty notice does not suggest that the fine was reduced as a result of these actions.
ICO will look to the higher, 4%, band of fines for controllers who breach the security principle, but discounts pre-GDPR breaches
As with the BA and Marriott breaches, the Commissioner took the position that the breach involved a breach of a data protection principle (Art.5(1)(f) of the GDPR), thus allowing her to look to the higher 4% band of fines, instead of the lower 2% band applicable to breach of the security obligations set out at Art.32 of GDPR.
There was evidence that Ticketmaster’s site had been affected since February 2018. The Information Commissioner only took account of the period from 25th May 2018, when the GDPR became fully applicable. Again, this is consistent with the approach she took in the monetary penalty imposed on Marriott.