General Data Protection Regulation (GDPR) , Governance & Risk Management , Incident & Breach Response
Ticketmaster Fined $1.7 Million for Data Security Failures
Following Alerts of Potential Fraud, Ticketmaster Took 9 Weeks to Spot Big BreachTicketmaster UK has been fined 1.25 million pounds ($1.7 million) by Britain's privacy watchdog for its "serious failure" to comply with the EU's General Data Protection Regulation.
See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility
Regulators say the company failed to properly secure chatbot software that it opted to run on a payments page, which attackers subverted, allowing them to steal payment card information. After being alerted to suspected card fraud that traced to its site, Ticketmaster UK allegedly failed to mitigate the problem for nine more weeks.
The fine was announced on Friday by the Information Commissioner's Office, which enforces GDPR in Britain.
Ticketmaster UK says it plans to appeal the ruling. The company is a subsidiary of ticket sales and distribution giant Ticketmaster, owned by Live Nation Entertainment, which is based in Beverly Hills, California.
The ICO, which launched its investigation in June 2018, says the fine only applies to Ticketmaster's failures following GDPR going into full effect in May 2018. As the investigation concluded before the U.K. left the EU, the ICO says it served as the lead supervisory authority for the EU and that the penalty represents a consensus decision by all data protection authorities across Europe.
2018 Data Breach
The fine announced by the ICO traces to a breach that began in February 2018.
Ultimately, the breach exposed personal details - including names, payment card numbers, expiration dates and CVV numbers - for approximately 9.4 million European Ticketmaster customers, including 1.5 million in the U.K. At least 60,000 Barclays Bank cards have been tied to known fraud, the ICO says, while Monzo Bank replaced 6,000 cards after it detected signs of fraudulent use.
Attackers also compromised details for an unknown number of customers outside the EU, including in Australia and New Zealand.
Security experts say the breach appears to have been tied to groups of attackers - collectively known as Magecart - that implant code on websites that allows them to steal payment card data.
'Millions … Exposed to Potential Fraud'
Regulators say Ticketmaster's failure to lock down JavaScript chat software it opted to use on a payments page, as well as its failure to detect and remediate the breach in a timely manner - or fully detail the breach to the ICO within 72 hours of detecting it - meant it violated GDPR in multiple ways.
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not," says James Dipple-Johnstone, the ICO's deputy commissioner.
“Ticketmaster should have done more to reduce the risk" posed by a potential online attack, Dipple-Johnstone says. "Its failure to do so meant that millions of people in the U.K. and Europe were exposed to potential fraud."
Ticketmaster UK didn’t immediately respond to a request for comment. But in written comments provided to the ICO, as well as a statement issued to the BBC, the firm blamed the breach on Inbenta Technologies, which develops the JavaScript chatbot software Ticketmaster was using.
"Ticketmaster takes fans' data privacy and trust very seriously," the company says in its statement. "Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today's announcement."
Attackers Subverted JavaScript Chatbot
When Ticketmaster first disclosed the breach in June 2018, it said attackers had exploited its Inbenta chatbot software to steal data from customers of its Ticketmaster International, Ticketmaster UK, GET ME IN! and TicketWeb sites.
"As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites," Ticketmaster said at the time.
Security experts say that, because the software was being used on Ticketmaster payment pages, it appears to have allowed attackers to inject JavaScript that allowed them to steal customer details.
Responding to the breach, Inbenta said Ticketmaster should never have been using the custom JavaScript on a card payment page.
"Ticketmaster directly applied the script to its payments page, without notifying our team," Inbenta Technologies CEO Jordi Torras said at the time. "Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018."
Breach Timeline
The ICO's 73-page monetary penalty notice against Ticketmaster UK says the company missed multiple opportunities to spot and remediate the breach in a more timely manner.
After the breach began in February 2018, representatives from London-based Monzo Bank met with Ticketmaster on April 12, 2018, warning the company that it had traced stolen payment data to Ticketmaster's site.
According to the ICO, in a meeting about four days later, Monzo provided Ticketmaster with what it described as "smoking gun" evidence: A legitimate customer had entered an incorrect expiration date for their credit card when trying to buy tickets, leading to the transaction failing. "That same payment card and incorrect expiry date was then used in an attempted fraudulent transaction the following Monday," the ICO reports.
By April 19, 2018, Monzo had decided to replace 6,000 payment cards. It published a statement on its website saying it had been informed by Ticketmaster that its investigation had found no signs that its systems had been breached and said no other card issuers had reported any fraud.
At about that time, however, the Commonwealth Bank of Australia, as well as American Express, Barclaycard and Mastercard "all reported suggestions of fraud to Ticketmaster," the ICO says. "But the company failed to identify the problem."
The ICO says that, around May 5, 2018, Ticketmaster hired four digital forensics firms to investigate, but they primarily looked into the Australian fraud reports. The regulator says the investigators "determined that any breach of Ticketmaster's systems most likely originated out of Ticketmaster's Australian website, which was largely housed in North American networks and data centers."
The ICO says that Ticketmaster failed to instruct its incident response teams to investigate any potential breach of its U.K. or European payment systems. After receiving threat intelligence from Visa about malicious, third-party scripts, the incident response team also failed to identify the subverted chat software.
Other indications that something was amiss included a Ticketmaster customer who was using its site in Ireland reporting, on May 31, 2018, that "their anti-virus product … identified Ticketmaster's website as malicious, in particular the reference to the Inbenta tag," the ICO notes.
Ticketmaster did not confirm the breach and identify the cause until about three weeks later. On June 23, the JavaScript chatbot was identified as being the cause, and it was deactivated on most sites, except sites in France and on getmain.com, which were disabled the next day.
Right to Respond
The ICO's fine against Ticketmaster follows the regulator in recent weeks fining British Airways 20 million pounds ($26.4 million) and Marriott 18.4 million pounds ($24.3 million) - the two biggest privacy fines ever issued in the U.K. - for security failures tied to separate breaches suffered or detected in 2018.
One notable aspect of both fines was that they respectively amounted to just 10% and 20% of the penalties the ICO initially proposed in its "notice of intent" to fine the organizations. After an organization has been served with such a notice, it has the opportunity to respond before the ICO sets a final fine.
In the case of Ticketmaster UK, in February, the ICO issued its notice of intent to impose a fine of 1.5 million pounds, after which Ticketmaster exercised its right to respond to the findings in writing. Subsequently, the ICO reduced the fine to 1.25 million pounds.
In determining the fines for British Airways, Marriott and Ticketmaster, the ICO said it factored in their written responses, as well as "the economic impact of COVID-19," before determining the final penalty (see: Marriott and BA's Reduced Privacy Fines: GDPR Realpolitik).
Under GDPR, organizations that get fined also have a right to appeal the decision in court. Thus, legal experts say, regulators appear to be trying to set final penalties that will survive such appeals (see: German Court Slashes a GDPR Privacy Fine by 90%).
Of course, the Ticketmaster penalty and others stand as a data security warning to other organizations. “The 1.25 million pound fine we’ve issued … will send a message to other organizations that looking after their customers’ personal details safely should be at the top of their agenda," says the ICO's Dipple-Johnstone.
The breach is now the focus of at least one group action - aka class-action lawsuit - filed by Keller Lenkner UK, over the financial and emotional effect on victims.
"While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million U.K. customers," Kingsley Hayes, the firm's head of cybercrime, tells the BBC.