Ticketmaster fined £1.25m over customer data breach

Personal information and card details belonging to tens of thousands of people were stolen by hackers.

Ticketmaster has been fined after customer details were stolen by hackers

Ticketmaster UK must pay a £1.25m fine after failing to secure customers' card details and personal information.

A cyber attack in 2018 saw hackers steal sensitive data belonging to potentially millions of customers across Europe.

Now, the Information Commissioner's Office (ICO) has handed the online ticket company a large fine.

Ticketmaster UK says it will appeal against the ruling.

According to BBC News, an investigation found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page.

A cyber-attacker was able to use the chatbot to access customer payment details.

Following the breach, 60,000 Barclays bank customers were victims of fraud. Online bank Monzo had to replace 6,000 payment cards due to fraud.

The ICO said Monzo, the Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express had all warned Ticketmaster of suspected fraud.

But Ticketmaster took nine weeks to start monitoring activity on its payments page, according to the ICO.

James Dipple-Johnstone, deputy commissioner at the ICO, said: "Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud."

In a statement, Ticketmaster said: "Ticketmaster takes fans' data privacy and trust very seriously.

"Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today's announcement."


* Is your business cyber secure? Sign up for our FREE core membership and strengthen your resilience to online crime and cyber attacks.

Also check out our Trusted Partners and learn how they can boost your cyber defences through the Government-backed Cyber Essentials programme.


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.