Serviceteam IT Security News

A British ticketing company has been financially penalized over a 2018 data breach that exposed the personal information of millions of customers across Europe. 

The Information Commissioner’s Office (ICO) has fined Ticketmaster UK Limited £1.25m for failing to keep its customers’ personal data secure.

Ticketmaster issued a data breach notice in June 2018 after a third-party platform provider Inbenta Technologies was infected with malicious software. 

The malware, which was detected on a customer support product, exfiltrated customer data and passed it on to an unknown attacker. 

Information compromised in the incident included names, addresses, emails, telephone numbers, payment card numbers, expiry dates, CVV numbers, and Ticketmaster login details of as many as 11 million Ticketmaster customers in Europe and the United Kingdom.

An investigation into the incident by the ICO found that Ticketmaster violated the General Data Protection Regulation by failing to put “appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.”

The breach, which began in February 2018, was discovered after Monzo Bank customers reported fraudulent transactions. 

“The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster,” said the ICO, “but the company failed to identify the problem.”

Investigators found that Ticketmaster only started monitoring the network traffic through its online payment page nine weeks after being alerted to possible fraud.

Investigators found that the breach caused 60,000 payment cards belonging to Barclays Bank customers to be used fraudulently. Another 6,000 cards belonging to Ticketmaster customers were replaced by Monzo Bank over suspected fraudulent use.

“A key point from this case is that the data compromised was not submitted to the chat bot itself, but to pages on which the chat bot was embedded, which hackers were then able to scrape through exploiting the chat bot,” commented Emma Erskine-Fox, associate at UK law firm TLT.

“When assessing the risks of processing personal data using software embedded into websites, organizations should therefore consider not just what data might be submitted to that particular software, but how any vulnerabilities might affect data submitted on other areas of the website.”

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!