The Information Commissioner’s Office has issued a fine of £1.25 million under the Data Protection Act 2018 to Ticketmaster UK for failing to prevent a data breach that affected nearly ten million customers across Europe, including 1.5 million in the UK.
In June 2018, Ticketmaster UK confirmed that it suffered a major breach of customer records that resulted in the loss of personal and financial information of around 5 percent of its customers to an unauthorised third party.
The breach took place after hackers installed a malicious code in a customer support product hosted by Inbenta Technologies, an external third-party supplier. Using the malicious skimming code, the hackers then skimmed names, addresses, email addresses, telephone numbers, payment details, and Ticketmaster login details of Ticketmaster UK customers.
The data breach affected Ticketmaster customers who purchased, or attempted to purchase, tickets between February and June 23 2018 and international customers (except those in North America) who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018 on Ticketmaster UK’s website.
On Friday, the Information Commissioner’s Office issued a fine of £1.25 million to Ticketmaster UK, holding the company squarely responsible for failing to prevent an attacker from accessing customers’ financial details and thereby violating the General Data Protection Regulation (GDPR).
ICO noted that the company’s failure to appropriately secure a chat-bot installed on its online payment page allowed hackers to exfiltrate the personal and financial information of 9.4 million of Ticketmaster’s customers across Europe, including 1.5 million in the UK.
After exfiltrating payment card details from the company’s online payment page, hackers used those details to carry out a large number of fraudulent purchases, so much so that according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud.
Even though the breach began in February 2018 and the likes of Commonwealth Bank of Australia, Barclaycard, Mastercard, and American Express started reporting instances of fraud to Ticketmaster UK, it took the company nine weeks from being alerted to monitor the network traffic through its online payment page and identify the breach.
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud,” said James Dipple-Johnstone, Deputy Commissioner of the ICO.
According to security firm RiskIQ, the cyber attack on Ticketmaster UK’s website was carried out by a hacker group known as Magecart. The group used a similar technique to exfiltrate the personal and payment information of around 380,000 people who made bookings and changes between August 21 and September 5 2018 on British Airways’ website and mobile application.
In October this year, British Airways was also fined £20 million by the ICO for failing to prevent hackers from exfiltrating the personal data of approximately 429,612 customers and staff, including payment card numbers and CVV numbers of 244,000 BA customers.
The incident, for which British Airways attracted the massive fine, involved hackers using 22 lines of script to modify a large number of scripts on the British Airways’ website and then exploiting the modifications to extract information from payment forms and transfer such information to their own server.
The hackers planted data skimming code on the British Airways website and between August 21 and September 5 2018, exfiltrated names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers. The hackers also stole usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts.
According to the Information Commissioner’s Office, British Airways could have prevented the breach of data belonging to customers and staff by limiting access to applications, data, and tools, undertaking rigorous testing in the form of simulating a cyber-attack on the business’ systems, and protecting employee and third party accounts with multi-factor authentication.
ICO noted that British Airways did not detect the data exfiltration from its website for more than two months after the attack began on 22nd June 2018. It was only after a third party alerted the airline about the cyber attack that it acted promptly and notified the ICO.