Minerva Studio – stock.adobe.com
Ticket website’s customer data was exposed through an attack on a third-party chatbot
Emea Content Editor, Computer Weekly
Published: 13 Nov 2020 15:19
A data breach, which began in February 2018, was revealed when customers of Monzo Bank reported fraudulent transactions.
Affected websites include Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb.
The fine follows an ICO investigation that found a chatbot on the company’s online payment page put it in breach of the General Data Protection Regulation (GDPR).
“The investigation found that Ticketmaster’s decision to include the chatbot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details,” said the ICO.
The names and card details of 9.4 million Ticketmaster customers across Europe, including 1.5 million in the UK, were potentially exposed.
Financial services firms affected included the Commonwealth Bank of Australia, Barclays Bank, Monzo, Mastercard and American Express, which all reported possible fraud to Ticketmaster. “But the company failed to identify the problem,” said the ICO.
The ICO found that as a result, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Meanwhile, Monzo Bank replaced 6,000 cards after it suspected fraudulent use.
James Dipple-Johnstone, deputy information commissioner, said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
“Ticketmaster should have done more to reduce the risk of a cyber attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”
Dipple-Johnstone said the fine served as a message to other organisations that looking after customers’ personal details safely should be a top priority.
The ICO said Ticketmaster failed to assess the risks of using a chatbot on its payment page, failed to identify and implement appropriate security measures to negate the risks, and to identify the source of suggested fraudulent activity in a timely manner.
“In total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page,” said the ICO.
Content Continues Below
Read more on Data breach incident management and recovery
Coronavirus: Digital bank’s valuation falls as it seeks funds to ride Covid-19 storm
By: Karl Flinders
Facebook agrees to pay £500,000 fine over Cambridge Analytica data law breaches
By: Karl Flinders
£4,000 bug bounty could have saved BA from record ICO fine
By: Alex Scroxton
NCSC and ICO pledge to support data breach victims
By: Warwick Ashford
Send your news and stories to us firstname.lastname@example.org or email@example.com and WhatsApp: +447747873668.
Before you go...
Democratic norms are being stress-tested all over the world, and the past few years have thrown up all kinds of questions we didn't know needed clarifying – how long is too long for a parliamentary prorogation? How far should politicians be allowed to intervene in court cases? To monitor these issues as closely as we have in the past we need your support, so please consider donating to The Climax News Room.