ICO - Monetary Penalty on Ticketmaster UK Limited
|ICO - Monetary Penalty on Ticketmaster UK Limited|
|Relevant Law:||Article 4(2) GDPR|
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1)(d) GDPR
DPA 3 (4)
|Parties:||Ticketmaster UK Limited|
|National Case Number/Name:||Monetary Penalty on Ticketmaster UK Limited|
|European Case Law Identifier:||n/a|
|Original Source:||The ICO (in EN)|
|Initial Contributor:||Mariam Tabatadze|
The Information Commissioner’s Office imposed a fine of £1.25million on Ticketmaster UK Limited for failing to protect its customers’ personal data, breaching GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
- Ticketmaster is a company selling tickets online of events around the world. By its activities, which includes collecting, storing and using the personal data of its individual consumers, for the purpose of online selling, the company is a controller in respect of personal data of its customers, within the meaning of the Article 4(2; 7) GDPR. Ticketmaster was using chat-bot system on its payment page.
- The costumer companies of Ticketmaster started reporting fraudulent transactions in February 2018. The Commonwealth Bank of Australia, Monzo Bank, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the company failed to identify the problem and in total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.
- 9.4 million EEA data subjects were notified as having been potentially affected by the Personal Data Breach, of whom 1.5 million data subjects originated in the United Kingdom.
- Ticketmaster has received approximately 997 complaints alleging financial loss and/or emotional distress.
- Ticketmaster notified the Commissioner of the Attack on 23 June 2018 by an email
- In response, the Commissioner commenced an investigation into the incident. That investigation included various exchanges with Ticketmaster and considering detailed submissions and evidence.
Dispute[edit | edit source]
The ICO has to determine if the company took all appropriate security measures to protect data while processing and to identify and prevent a cyber-attack on a chat-bot installed on its online payment page.
Holding[edit | edit source]
The Commissioner held that in respect of the Incident, Ticketmaster had failed to comply with its obligations under Article 5(1)(f) and Article 32 of GDPR.
- Article 5 (1) : Ticketmaster has failed to comply with the requirements of GDPR including to process personal data in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, using appropriate technical or organisational measures." The ICO highlighted that some measures were in place prior to the Personal Data Breach, but they were insufficient in the circumstances.
Although the breach began in February 2018, the penalty only relates to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect. The chat-bot was completely removed from Ticketmaster UK Limited’s website on 23 June 2018.
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.