The ICO has fined Ticketmaster UK Ltd £1.25 million for failing to keep its customers’ personal data secure. The ICO found that the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page. The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4 million of Ticketmaster’s customers across Europe including 1.5 million in the UK.

ICO investigators found that as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO found that Ticketmaster failed to:

• assess the risks of using a chat-bot on its payment page;
• identify and implement appropriate security measures to negate the risks; and
• identify the source of suggested fraudulent activity in a timely manner.

As a result, the ICO said that Ticketmaster failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR.

The ICO found that the infringements constituted a serious failure to comply with the GDPR and, accordingly, that the imposition of a £1,250,000 penalty was appropriate. To read the ICO’s press release in full and for a link to the monetary penalty notice, click here.