ICO - Monetary Penalty on Ticketmaster UK Limited

From GDPRhub
ICO - Monetary Penalty on Ticketmaster UK Limited
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(2) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1)(d) GDPR
DPA 3 (4)
Type: Investigation
Outcome: Violation Found
Decided: 13.11.2020
Published: 13.11.2020
Fine: 1250000 GBP
Parties: Ticketmaster UK Limited
National Case Number/Name: Monetary Penalty on Ticketmaster UK Limited
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: The ICO (in EN)
Initial Contributor: Mariam Tabatadze

The Information Commissioner’s Office imposed a fine of £1.25million on Ticketmaster UK Limited for failing to protect its customers’ personal data, breaching GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

  • Ticketmaster is a company selling tickets online of events around the world. By its activities, which includes collecting, storing and using the personal data of its individual consumers, for the purpose of online selling, the company is a controller in respect of personal data of its customers, within the meaning of the Article 4(2; 7) GDPR. Ticketmaster was using chat-bot system on its payment page.
  • The costumer companies of Ticketmaster started reporting fraudulent transactions in February 2018. The Commonwealth Bank of Australia, Monzo Bank, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the company failed to identify the problem and in total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.
  • 9.4 million EEA data subjects were notified as having been potentially affected by the Personal Data Breach, of whom 1.5 million data subjects originated in the United Kingdom.
  • Ticketmaster has received approximately 997 complaints alleging financial loss and/or emotional distress.
  • Ticketmaster notified the Commissioner of the Attack on 23 June 2018 by an email
  • In response, the Commissioner commenced an investigation into the incident. That investigation included various exchanges with Ticketmaster and considering detailed submissions and evidence.

Dispute[edit | edit source]

The ICO has to determine if the company took all appropriate security measures to protect data while processing and to identify and prevent a cyber-attack on a chat-bot installed on its online payment page.

Holding[edit | edit source]

The Commissioner held that in respect of the Incident, Ticketmaster had failed to comply with its obligations under Article 5(1)(f) and Article 32 of GDPR.

  1. Article 5 (1) : Ticketmaster has failed to comply with the requirements of GDPR including to process personal data in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, using appropriate technical or organisational measures." The ICO highlighted that some measures were in place prior to the Personal Data Breach, but they were insufficient in the circumstances.
  2. Article 32: by the requirements of that article the company to have ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, section 1 (d) of the article requires the regular testing, assessing and evaluating the effectiveness of technical and organisational controls for ensuring the security of processing of data; "The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk' taking into account "the state of the art"; (the state of the art includes knowledge, actual and constructive, of attack vectors) While implementing third party JavaScripts into a website or chat bot the company had to assess the security risk before using such systems, but failed. The company filed to identify the source of suggested fraudulent activity in a timely manner and to notify and Commissioner earlier.

Although the breach began in February 2018, the penalty only relates to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect. The chat-bot was completely removed from Ticketmaster UK Limited’s website on 23 June 2018.

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.