A British ticketing company has been financially penalized over a 2018 data breach that exposed the personal information of millions of customers across Europe.
The Information Commissioner’s Office (ICO) has fined Ticketmaster UK Limited £1.25m for failing to keep its customers’ personal data secure.
Ticketmaster issued a data breach notice in June 2018 after a third-party platform provider Inbenta Technologies was infected with malicious software.
The malware, which was detected on a customer support product, exfiltrated customer data and passed it on to an unknown attacker.
Information compromised in the incident included names, addresses, emails, telephone numbers, payment card numbers, expiry dates, CVV numbers, and Ticketmaster login details of as many as 11 million Ticketmaster customers in Europe and the United Kingdom.
An investigation into the incident by the ICO found that Ticketmaster violated the General Data Protection Regulation by failing to put "appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page."
The breach, which began in February 2018, was discovered after Monzo Bank customers reported fraudulent transactions.
"The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster," said the ICO, "but the company failed to identify the problem."
Investigators found that Ticketmaster only started monitoring the network traffic through its online payment page nine weeks after being alerted to possible fraud.
Investigators found that the breach caused 60,000 payment cards belonging to Barclays Bank customers to be used fraudulently. Another 6,000 cards belonging to Ticketmaster customers were replaced by Monzo Bank over suspected fraudulent use.
“A key point from this case is that the data compromised was not submitted to the chat bot itself, but to pages on which the chat bot was embedded, which hackers were then able to scrape through exploiting the chat bot," commented Emma Erskine-Fox, associate at UK law firm TLT.
“When assessing the risks of processing personal data using software embedded into websites, organizations should therefore consider not just what data might be submitted to that particular software, but how any vulnerabilities might affect data submitted on other areas of the website.”