The latest industry news to your inbox.


I'd like to hear about marketing opportunities


I accept IQ Magazine's Terms and Conditions and Privacy Policy


Ticketmaster UK fined for 2018 data breach

Ticketmaster will pay a £1.25m fine to the Information Commissioner's Office for GDPR failings relating to a cyberattack in 2018

By IQ on 16 Nov 2020

James Dipple-Johnstone, ICO

image © Information Commissioner's Office

The UK’s Information Commissioner’s Office (ICO) has fined Ticketmaster £1.25 million over a data breach that compromised the payment information of an estimated 9.4m customers in Europe, including 1.5m in the UK.

Concluding its investigation of a 2018 cyberattack which targeted Ticketmaster, TicketWeb and Get Me In! websites through a third-party customer support plug-in, the ICO found that Ticketmaster UK Ltd violated GDPR by failing to put in place “appropriate security measures” to protect its customers’ data.

ICO investigators found that, as a direct result of the Ticketmaster breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.

James Dipple-Johnstone, ICO deputy commissioner, says Ticketmaster failed to assess the risks of including the third-party product, a chatbot developed by Inbenta Technologies, on its payment page, as well implement appropriate security measures to negate those risks.

“Looking after their customers’ personal details safely should be at the top of organisations’ agenda”

The company also failed to identify the source of the fraudulent activity in a timely manner, having taken nine weeks from first being alerted to possible fraud (in February 2018) to finally monitoring the network traffic through its online payment page, according to the ICO.

“When customers handed over their personal details, they expected Ticketmaster to look after them,” says Dipple-Johnstone (pictured). “But they did not. Ticketmaster should have done more to reduce the risk of a cyberattack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

“The £1.25 million fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The Ibenta bot was removed from Ticketmaster’s websites in June 2018.


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

Comments are closed.