author photo
By Bruce Sussman
Tue | Nov 17, 2020 | 3:00 AM PST

Do any of those crazy Ticketmaster fees help fund cybersecurity at the company?

That's unclear. However, we do know it failed at cybersecurity in several ways and must now pay a seven-figure fine.

The Information Commissioner's Office (ICO) in the U.K. announced its findings along with a fine equivalent to $1.6 million. 

The Ticketmaster U.K. data breach investigation

The ICO investigation looked at a 2018 Ticketmaster data breach that lasted several months and compromised 9.4 million European customer names, credit card numbers, security codes, and expiration dates.

And the data breach led to real impacts, according to the findings:

"Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use."

The ICO says Ticketmaster violated parts of the Data Protection Act and the GDPR, both of which are privacy and security regulations.

How did Ticketmaster fail at cybersecurity and fail to protect its sensitive customer data? According to the ICO report, here are three ways:

1. Ticketmaster failed to assess the risks of using a chatbot on its payment page

"Ticketmaster's decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers' financial details... the company failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page."

The first failure was failing to do any kind of risk assessment related to the chatbot.

This was required, the ICO says, because Ticketmaster needed to hold the chatbot to payment card PCI-DSS standards, even though it was not actually taking payments. Check this out:

"...despite its repeated contention to the contrary, Ticketmaster was bound by the following PCI-DSS requirements concerning the payment card environment, which applied regardless of whether the chat bot was or was not intended or expected to process payment card information...

...PCI DSS requirement 12.2 required Ticketmaster to 'implement a risk assessment process that:... is performed at least annually and upon significant changes to the environment.... identifies critical assets, threats and vulnerabilities.' However, no such risk assessment was performed upon the chat bot being introduced as part of the
payment environment."

The investigators say this failure violated the company's own secure coding guidelines. 

2. Ticketmaster failed to identify and implement appropriate security measures to negate the risks

The ICO says it looked at this cyberattack from multiple angles and it became clear that Ticketmaster failed to implement appropriate security controls despite well=documented risks related to this type of data breach:

"Implementing third party JavaScripts into a website or chat bot
has, for some time, been a known security risk. The risk to personal
data is greater when such third party JavaScripts are implemented into web pages that process personal data such as a payment page.

Extensive publications had addressed that risk and identified associated security measures in advance of the Personal Data Breach in this instance. In particular, publications had identified that a benign script could be changed by an attacker to 'scrape' personal data, of which process the data controller or processor would likely have no visibility."

The ICO report then lists more than a dozen publications and reports citing this kind of risk to payment card pages and sites.

"...those publications evidence that Ticketmaster ought reasonably to have been aware prior to the time of the Incident of the risk of
implementing third party JavaScripts into a web site that processes
personal data such as payment card data."

3. Ticketmaster failed to identify the source of suggested fraudulent activity in a timely manner

And the third failure involves timing. The breach went on even after credit card giants told Ticketmaster U.K. that the company was showing signs of a data breach:

"The breach began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the company failed to identify the problem.

In total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page."

And not only did Ticketmaster take nine weeks to pinpoint the data breach, the ICO says once it did know, it failed to notify government authorities within 72 hours as required by GDPR.

Conclusion: Ticketmaster data breach fine

And for all these reasons, a seven-figure fine seemed appropriate to the ICO.

James Dipple-Johnstone, ICO Deputy Commissioner, explains it like this:

"Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

The £1.25milllion fine we've issued today will send a message to other organisations that looking after their customers'personal details safely should be at the top of their agenda."

There is more to the story, if you have time. Read the ICO Penalty Notice Against Ticketmaster.