November 17, 2020

ICO imposes £1.25 million fine for GDPR violations

On November 13, 2020, the UK Information Commissioner’s Office announced that it had fined Ticketmaster UK Limited for failing to protect customer information, in violation of the General Data Protection Regulation.

According to the ICO, Ticketmaster included on its online payment page a chat-bot hosted by a third party.  The chat-bot enabled cyberattackers to access the names and payment card information of over 9 million Ticketmaster customers in Europe, including 1.5 million consumers in the UK.  As detailed in the Penalty Notice, the breach was first suspected in April 2018, when customers of Monzo Bank noticed fraudulent transactions.  The bank identified Ticketmaster’s payment site as the source of the data breach, and brought evidence of such to Ticketmaster on April 16, 2018. Thereafter four major international banks reported possible fraud to Ticketmaster; but Ticketmaster began monitoring the traffic on its online payment page only nine weeks later.  At least 60,000 payment cards were used fraudulently as a result of the breach.

The ICO found that Ticketmaster failed to assess the risks of using the third-party chat bot on its payment page, did not implement appropriate security measures, and, failed to identify the source of the fraudulent activity once alerted to the apparent malfeasance.

Pursuant to Article 56 of the GDPR, the ICO acted as lead supervisory authority for this transnational incident, as the breach occurred prior to the UK’s departure from the European Union.  With the approval of other European data protection agencies, the ICO imposed a monetary penalty of £1.25 million (approximately $1.6 million).  Although the incident took place between February 2018 and June 23, 2018, the applicable dates for purposes of the penalty are May 25, 2018, when the GDPR entered into force, until the conclusion of the incident in June.  The GDPR requires that penalties for the infringement of serious compliance failures be effective, proportionate and dissuasive.  In announcing this penalty, which was reduced by £250,000 in recognition of the effects of the Covid-19 pandemic, the Deputy Commissioner of the ICO said that the fine “will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

ICO news release | Penalty Notice