fbpx

PROFILE

MY SUBSCRIPTION

LOGOUT

x

The latest industry news to your inbox.

    

I'd like to hear about marketing opportunities

    

I accept IQ Magazine's Terms and Conditions and Privacy Policy

Ticketmaster UK fined for 2018 data breach

The UK’s Information Commissioner’s Office (ICO) has fined Ticketmaster £1.25 million over a data breach that compromised the payment information of an estimated 9.4m customers in Europe, including 1.5m in the UK.

Concluding its investigation of a 2018 cyberattack which targeted Ticketmaster, TicketWeb and Get Me In! websites through a third-party customer support plug-in, the ICO found that Ticketmaster UK Ltd violated GDPR by failing to put in place “appropriate security measures” to protect its customers’ data.

ICO investigators found that, as a direct result of the Ticketmaster breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.

James Dipple-Johnstone, ICO deputy commissioner, says Ticketmaster failed to assess the risks of including the third-party product, a chatbot developed by Inbenta Technologies, on its payment page, as well implement appropriate security measures to negate those risks.

“Looking after their customers’ personal details safely should be at the top of organisations’ agenda”

The company also failed to identify the source of the fraudulent activity in a timely manner, having taken nine weeks from first being alerted to possible fraud (in February 2018) to finally monitoring the network traffic through its online payment page, according to the ICO.

“When customers handed over their personal details, they expected Ticketmaster to look after them,” says Dipple-Johnstone (pictured). “But they did not. Ticketmaster should have done more to reduce the risk of a cyberattack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

“The £1.25 million fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The Ibenta bot was removed from Ticketmaster’s websites in June 2018.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

GDPR, mailing lists and the live business

The data generated by digital platforms such as Spotify provides musicians with valuable insights into their fans’ locations and behaviour. Fortunately, much of the data provided by third-party platforms is anonymised, which means it generally falls outside data protection legislation.

However, bands, promoters and booking agents routinely collect contact details and other personal data relating to their fans and customers, which falls squarely within the remit of the legislation.

There is a legal requirement when collecting, using and storing personal data to inform the data subjects about what data you are collecting and what you will be doing with it. This doesn’t just apply to companies; bands and musicians acting in the course of business also have this obligation (there are exemptions, and you should visit your local information commissioner’s office website to find out more).

This is usually done via a privacy policy, which should be tailored to your specific uses of the data you collect. If you have a website, it is good practice to have a link to your privacy policy on your website.

If you’re planning to share personal data with a third party, such as between a band and a promoter, it’s important to establish a legal basis

So, if you receive an email from a fan asking for information about a forthcoming tour, can you add their email address to your database and start sending them marketing material? The simple answer is no, you can’t.

Individuals usually have to give explicit consent to their personal data being used for marketing purposes. However, you can reply to the fan, answer their question and ask if they want to join your mailing list. If they agree, you are free to market to them, but remember to make a record of their consent, and ensure that your marketing emails include simple instructions to help the recipient locate your privacy information and opt out of the emails.

If you’re planning to share personal data with a third party, such as between a band and a promoter, it’s important to establish a legal basis for this transfer to take place. This should be set out in your privacy policy. Data protection is a tricky area, and care should be taken not to breach the legislation.

Rob Eakins can be reached on +44 161 358 0280 or robeakins@hrclaw.co.uk

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

Ticketmaster in £5m lawsuit over UK data breach

A British law firm has launched a £5 million law suit against Ticketmaster following a security breach in June last year, which may have affected up to 40,000 users of the ticketing service in the UK.

Widnes law firm Hayes Connor issued its claim at the High Court in Liverpool on Wednesday (3 April) on behalf of over 650 claimants. The company is pursuing damages of up to $5m (US$6.5m), saying many claimants “suffered multiple fraudulent transactions” and a third endured “significant stress”.

Ticketmaster UK confirmed it had identified a major security breach on its systems on 23 June 2018. The breach was caused by malicious software on a third-party customer support product hosted by Inbenta Technologies. Ticketmaster immediately disabled the product across its platforms.

The following month, cyber-security firm RiskIQ warned the TM hack was the “tip of the iceberg”, noting that the Ibenta plug-in also ran on hundreds of other ecommerce sites.

Data, including personal information and payment and login details, is believed to have been stolen. Ticketmaster has not confirmed how many customers were affected.

“More than two thirds of our clients have suffered multiple fraudulent transactions since the serious data breach”

The breach was announced after the new General Data Protection Regulation (GDPR) came into effect.

Digital, mobile-only bank Monzo claims to have spotted the breach months earlier, notifying Ticketmaster to the security breach on 12 April.

“Ticketmaster failed to action the breach until two months after it was alerted to the fact by digital bank Monzo,” says Kingsley Hayes, managing director of Hayes Connor Solicitors.

“More than two thirds of our clients have suffered multiple fraudulent transactions since the serious data breach with the remainder still at risk of having their money stolen or their details used for fraudulent activity in the future,” adds Hayes.

Investigations into the security breach by the Information Commissioner’s Office (ICO) and National Crime Agency (NCA), along with officers from the National Cyber Crime Unit (NCCU), are ongoing.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free digest of essential live music industry news, via email or Messenger.

Ticketmaster customer info compromised after data breach

Ticketmaster customers have been warned that they could be at risk of identity theft after the company yesterday confirmed that data had been compromised after an extensive data breach. The breach involved a malicious software on a customer support product hosted by an external third party supplier, Inbenta Technologies.

The product ran on Ticketmaster International, Ticketmaster UK, Get Me In and TicketWeb websites. Those potentially affected are UK customers who bought or attempted to buy tickets between February and 23 June 2018 and international customers who used the service between September 2017 and 23 June. Those thought to be affected have been notified.

Ticketmaster is advising those affected to change their passwords on their next sign in and monitor their account statements for evidence of fraudulent activity. Impacted customers are also being offered a free 12 month identity monitoring service with a leading provider. On a dedicated website set up to addressing the questions of those affected, Ticketmaster says it is working with relevant authorities, credit card companies and banks, as well as forensic teams and security experts.

Ticketmaster serves over 230 million customers worldwide each year, though it believes less than 5% have been affected by the breach.

The Guardian is reporting that a number of Ticketmaster customers have already experienced fraudulent activity on their accounts. According to the newspaper, people have identified unauthorised transfers using the service Xendpay and unauthorised purchasing of Uber gift cards and payments to Netflix.

The news of this data breach is the second event of its kind involving a ticketing company in recent weeks. Earlier this month, leading US ticketing platform Ticketfly was involved in a cyber attack which led to the data from 27 million accounts being compromised. Ticketmaster serves over 230 million customers worldwide each year, though it believes less than 5% have been affected by the breach.

Both events are particularly timely, coming just a month after the adoption of the new European General Data Protection Regulation (GDPR) on 25 May. GDPR requires all companies, even outside of the EU to ensure that data belonging to European citizens be treated with “an appropriate level of security”.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

Ticketfly back online, confirms 27m accounts compromised

After resuming limited service on Monday, all Ticketfly services are back online.

After consulting with “third-party forensic cybersecurity experts”, the US ticket seller has confirmed earlier reports that approximately 27 million accounts were accessed in last week’s cyberattack , although – crucially – no credit or debit card information was stolen. However, personal information, including names, addresses, email addresses and phone numbers, connected to the ~27m accounts was compromised.

“Upon first learning about this incident we took swift action to secure the data of our clients and fans,” says a spokesperson for the Eventbrite-owned company. “We take privacy and security very seriously and regret any disruption this has caused. We’re extremely grateful for the patience and support of the Ticketfly community.”

All account information, including passwords, were automatically reset following the attack.

Interestingly, Australian cybersecurity expert Troy Hunt, of haveibeenpwned.com, reveals more than two thirds of the compromised information was already in the site’s database – indicating it had been stolen previously in a hack of another website.

In the aftermath of the attack, several American promoters and venues were forced to postpone or migrate to another ticketing system last Friday’s onsales. A number of Ticketfly-powered websites were also downed along with Ticketfly.com.

The timing of the hack was especially sensitive, coming just a week after the implementation of the European General Data Protection Regulation (GDPR), which compels all companies – even those outside the EU, but which hold data on EU citizens – to ensure “an appropriate level of security” to protect data from theft or destruction.

The hacker, ‘IsHaKdZ’ – who claimed to have also obtained Ticketfly’s ‘backstage’ database, which is believed to contain client, rather than customer, information – has not yet resurfaced.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

Ticketfly resumes limited service

Ticketfly clients will once again be able to access and manage their accounts as the leading US ticketing company resumes a limited online service after last week’s cyber incident. Access to Ticketfly Backstage will be reinstated, meaning Box Office, ticket purchasing and scanning capabilities will be available.

This announcement comes with the news that Ticketfly.com and the Ticketfly iOS app, among other services, will remain offline as investigations continue. Reports from the Associated Press suggest the data breach could have affected up to 26 million user accounts, however the exact extent remains unknown.

After onsales took a hit on Friday, Ticketfly have worked around the clock to get the core of its platform back up and running again. In a statement regarding the attack, Ticketfly said: “It’s critical that the information we share with you is accurate and backed by certainty.

“The reality is cyber incidents are unique, and the investigations typically take more time than one would like because the full picture of what happened isn’t always quick to develop.”

Last week’s incident saw the Ticketfly.com website crashed by hacker(s) ‘IsHaKdZ’, who threatened to publish the website’s database. After this incident, Ticketfly made the decision to take the entirety of its service down, in the interest of client and customer safety.

“We assure you we are taking this very seriously and are committed to providing updates as appropriate.”

Though investigators aren’t sure at present the scale of the data breach, Ticketfly have said that names, addresses, emails and phone numbers of Ticketfly fans have been targeted. After the recent implementation of the European General Data Protection Regulation (GDPR), which requires all companies, even outside of the EU, to ensure an “an appropriate level of security” with data belonging to Europeans, this is a delicate situation.

On the data breach, Ticketfly has said: “We understand the importance you place on the privacy and security of your data and we deeply regret any unauthorised access to it.

“We assure you we are taking this very seriously and are committed to providing updates as appropriate.”

In the interim, users of the service are being asking to log into their accounts and reset their password. After doing this they will have access to all previously purchased tickets.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

Onsales pushed back as Ticketfly remains offline

More than 24 hours after their shutdown following a cyberattack, Ticketfly’s systems and website remain offline, forcing partners to push back onsales or migrate to parent company Eventbrite.

Washington DC-based IMP Productions, which operates the 9:30 club (1,200-cap.), the Anthem (6,000-cap.) and the Lincoln Theatre (1,225-cap.), has four show onsales scheduled for today – Florence and the Machine/Beth Ditto, Eric Hutchinson/Jeremy Messersmith, Garbage and the Bentzen Ball – all of which have been pushed back a week. In a statement, the company thanks both Ticketfly, which is “working hard to securely restore its ticketing system”, and customers, for their “continued patience through these ongoing issues”.

Also affected is Chicago’s Jam Productions, as well as a host of venues, including Colorado’s Fox Theatre (500-cap.), New York’s Birdland Jazz Club (200-cap.), Vermont’s Higher Ground Music (900-cap.) and the Chameleon Club (1,000-cap.) in Lancaster, Pennsylvania, all of whose Ticketfly-powered websites are down. Jam’s Friday onsales are being processed by Eventbrite.

Ticketfly.com has been down since yesterday afternoon, after coming under attack from a hacker or hacking group identifying themselves as ‘IsHaKdZ’.

‘IsHaKdZ’ replaced the website’s homepage with a picture of a figure in a Guy Fawkes mask – the V for Vendetta style, as adopted by hacking collective Anonymous – and provided a link to 4,283 CSV spreadsheets, which it suggested contained the personal information of thousands of Ticketfly ‘members’, or customers (screenshot below).

Ticketfly members CSVs

The company confirmed this morning that client and customer data was compromised in the attack, although the severity of the breach is not yet known.

The timing of the hack is especially sensitive, coming just a week after the implementation of the European General Data Protection Regulation (GDPR), which compels all companies – even those outside the EU, but which hold data on EU citizens – to ensure “an appropriate level of security” to protect data from theft or destruction.

A person close to the situation says, since Ticketfly administrators are still “examining the extent of what’s happened”, it’s too early to say if any European customers have been affected by the breach – although it’s a possibility.

“It’s a forensic investigation. They’re dealing with huge amounts of data”

“Ticketfly is only really active in North America,” they tell IQ, “but it’s completely possible that, say, someone on holiday in Miami bought a ticket to see a show. If that data was then compromised, that would of course affect GDPR.”

Another source says the internal investigation into the attack is proceeding with “forensic” precision. “They’ve taken it very seriously,” they say. “It’s a forensic investigation. They’re dealing with huge amounts of data.”

At press time, there are conflicting reports as to the hackers’ demands – according to CNET, ‘IsHaKdZ’ had previously demanded one bitcoin (currently worth around US$7,500) to fix a security exploit in Ticketfly.com’s code, and downed the site when the ransom was not paid.

The attacker claims to have obtained also Ticketfly’s ‘backstage’ database, which is believed to contain client, rather than customer, information.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

GDPR: Everything you need to know

Everyone, from Blondie to the Kinks and from Beastie Boys to Pearl Jam, has sung about the importance of privacy. From 25 May 2018, the way the live music industry handles the personal information of its European fans, artists and employees is set for a shake-up as the General Data Protection Regulation (GDPR) is introduced across Europe.

So, what is the GDPR?
The last European data protection law was introduced back in 1995. Since then, much has changed in terms of both the personal information we generate and share, and what we all perceive our rights over that data to be.

The new law provides enhanced rights to individuals to control how their data is handled, and puts greater regulatory scrutiny on companies who mistreat the data entrusted to them.

Who will it affect?
The law will apply to all companies processing the data of European citizens (be they fans, customers, artists, employees or partners), irrespective of whether the company processing the data is inside Europe, or located globally.

What might this cost me if I get it wrong?
Fines can be up to 4% of group annual turnover (or €20 million, whichever is higher).

Other impacts of non-compliance include the power for regulators to suspend a company’s processing activities subject to investigation and the ability for consumers to band together and bring class actions.

However, many companies are viewing the (i) potential brand damage, (ii) loss of customer trust, and (iii) diminishing investor return where personal information is mistreated, as potentially far more significant than the monetary penalties.

Is there any upside to this for me?
Many organisations have found that being upfront and transparent with customers about the data that is held on them and how it is used builds trust and often results in them sharing increasing amounts of information. This creates the opportunity to connect with fans and customers in an increasingly personalised way. Managed well, this could both lower the cost of acquiring and servicing them as well as increasing satisfaction.

“This creates the opportunity to connect with fans and customers in an increasingly personalised way”

Ok, maybe I should be doing something about this – where should I start?
First things first: get familiar with the law and nominate someone in your organisation to lead your company through the new requirements. You might need to appoint a data protection officer. Knowing both the relevant privacy laws and how to apply them to business processes is a considerable challenge. Having an appropriately skilled and qualified person in place is a must, and can repay any costs many times over by focussing any additional work only where it is absolutely necessary, whilst making sure full advantage is taken of the opportunity to engage more deeply with customers and fans.

Knowing what you need to do to comply with GDPR starts with having a proper grip on (i) what personal data you have, (ii) why you have it, (iii) what you use it for, (iv) where it is used and stored, and (v) what rights (consent) you have to hold and use it.

For example, you’ll be relying on consent to market to fans: where is that consent coming from? Do you collect it directly from the fan, or does another company collect it for you? Under GDPR, pre-ticked marketing opt-ins will be a thing of the past. The entity for whom consent is being given will also need to be named (e.g. generic “event partner” opt-ins will no longer be permissible). If you rely on others to collect marketing consent on your behalf, you should ensure they meet the new requirements.

Citizens will also have powerful new rights, including the ability to:
• Access and make corrections to any of the data you hold on them
• Request a copy of all of the data you hold on them, in a form that they can easily pass to others
• Request that you delete all of their data
• Opt-out of some or all processing or profiling (eg marketing segmentation).

You must be ready to respond quickly should they choose to exercise these rights.

 


Hannah and Giles are chairing a GDPR session on 7 March 2018 at ILMC 30.