Ticketmaster fined £1.25m for 2018 cyberattack

Ticketmaster has received a £1.25m fine from the UK data regulator for failing to implement security measures to prevent a 2018 cyberattack that exposed millions to potential fraud.

The Information Commissioner's Office (ICO) personal found that information and payment details may have been stolen from more than 9 million customers in Europe, including 1.5 million in the UK.

The attack on the ticket sales and distribution site took place through a chatbot on its online payment page when a hacker used the bot access customer payment details. 

At the time the company said malware on a third-party customer support software was behind the attack.

Some 60,000 Barclays Bank customers suffered fraud as a result of the security breach, while Monzo Bank sent out 6,000 replacement cards after suspicions of fraud.

Ticketmaster said it will appeal the fine, which was reduced by £250,000 due to the financial hit of the coronavirus pandemic.

Despite warnings from several banks, it took the website nine weeks to begin monitoring activity on its payments page, the ICO said.

James Dipple-Johnstone, ICO deputy commissioner, said: "When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

"Ticketmaster should have done more to reduce the risk of a cyberattack.

“Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”

A spokesperson for the company said: "Ticketmaster takes fans' data privacy and trust very seriously.

“Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal today’s announcement.”

Malicious software was found inside third-party software created by Inbenta Technologies but running on Ticketmaster's site, the latter firm admitted in 2018, adding that customers’ “personal or payment information may have been accessed” by unknown figures over a period of months.