ICO - Monetary Penalty on Ticketmaster UK Limited
ICO - Monetary Penalty on Ticketmaster UK Limited | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(2) GDPR Article 5(1)(f) GDPR Article 5(2) GDPR Article 32(1)(d) GDPR DPA 3 (4) |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 13.11.2020 |
Published: | 13.11.2020 |
Fine: | 1250000 GBP |
Parties: | Ticketmaster UK Limited |
National Case Number/Name: | Monetary Penalty on Ticketmaster UK Limited |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | The ICO (in EN) |
Initial Contributor: | Mariam Tabatadze |
The Information Commissioner’s Office imposed a fine of £1.25million on Ticketmaster UK Limited for failing to protect its customers’ personal data, breaching GDPR.
English Summary
Facts
- Ticketmaster is a company selling tickets online of events around the world. By its activities, which includes collecting, storing and using the personal data of its individual consumers, for the purpose of online selling, the company is a controller in respect of personal data of its customers, within the meaning of the Article 4(2; 7) GDPR. Ticketmaster was using chat-bot system on its payment page.
- The costumer companies of Ticketmaster started reporting fraudulent transactions in February 2018. The Commonwealth Bank of Australia, Monzo Bank, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the company failed to identify the problem and in total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.
- 9.4 million EEA data subjects were notified as having been potentially affected by the Personal Data Breach, of whom 1.5 million data subjects originated in the United Kingdom.
- Ticketmaster has received approximately 997 complaints alleging financial loss and/or emotional distress.
- Ticketmaster notified the Commissioner of the Attack on 23 June 2018 by an email
- In response, the Commissioner commenced an investigation into the incident. That investigation included various exchanges with Ticketmaster and considering detailed submissions and evidence.
Dispute
The ICO has to determine if the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.
Holding
The Commissioner held that in respect of the Incident, Ticketmaster had failed to comply with its obligations under Article 5(1)(f) and Article 32 of GDPR.
- Article 5 (1) : Ticketmaster has failed to comply with the requirements of GDPR including to process personal data in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, using appropriate technical or organisational measures." The ICO highlighted that some measures were in place prior to the Personal Data Breach, but they were insufficient in the circumstances.
- Article 32: by the requirements of that article the company to have ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, section 1 (d) of the article requires the regular testing, assessing and evaluating the effectiveness of technical and organisational controls for ensuring the security of processing of data; "The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk' taking into account "the state of the art"; (the state of the art includes knowledge, actual and constructive, of attack vectors) While implementing third party JavaScripts into a website or chat bot the company had to assess the security risk by using such systems, but failed. The company filed to identify the source of suggested fraudulent activity in a timely manner and to notify and Commissioner earlier.
Although the breach began in February 2018, the penalty only relates to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect. The chat-bot was completely removed from Ticketmaster UK Limited’s website on 23 June 2018.
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.