[BreachExchange] Ticketmaster Scores Hefty Fine Over 2018 Data Breach

[Destry Winant]

https://threatpost.com/ticketmaster-fine-2018-data-breach/161198/

The events giant faces a GDPR-related penalty in the U.K., and more
could follow.

Ticketmaster’s UK division has been slapped with a $1.65 million fine
by the Information Commissioner’s Office (ICO) in the UK, over its
2018 data breach that impacted 9.4 million customers.

The fine (£1.25million) has been levied after the ICO found that the
company “failed to put appropriate security measures in place to
prevent a cyber-attack on a chat-bot installed on its online payment
page” – a failure which violates the E.U.’s General Data Protection
Regulation (GDPR).

In June 2018, the ticket-selling giant said that it found malware
within a customer chat function for its websites, hosted by Inbenta
Technologies. Worryingly, the malicious code was found to be accessing
an array of information, including name, address, email address,
telephone number, payment details and Ticketmaster login details. It
later came to light that the attack was the work of the Magecart gang,
known for injecting payment skimmers into vulnerable website
components.

The malware managed to stay under the radar for months as well,
Ticketmaster admitted at the time. The breach affected international
customers who purchased, or attempted to purchase, event tickets
between September 2017 and late June 2018; while UK users were
impacted between February and June 2018.

U.S. customers were not affected.

The UK portion of the breach began in February 2018 when Monzo Bank
customers reported fraudulent transactions, the ICO said.

“The Commonwealth Bank of Australia, Barclaycard, Mastercard and
American Express all reported suggestions of fraud to Ticketmaster,”
according to the regulator’s announcement of the fine. “But the
company failed to identify the problem.”

Thus, the ICO found that Ticketmaster not only failed to look into
risks and appropriate security measures for the chatbot, but that it
didn’t identify the issue in a timely manner.

The watchdog group also determined that the breach did in fact lead
directly to widespread fraud.

“Investigators found that, as a result of the breach, 60,000 payment
cards belonging to Barclays Bank customers had been subjected to known
fraud,” according to the ICO. “Another 6,000 cards were replaced by
Monzo Bank after it suspected fraudulent use.”

Although the UK portion of the breach began in February 2018, the
penalty only relates to the issues starting in May 2018, when new
rules under the GDPR came into effect.

Other Ticketmaster divisions were eventually found to be impacted by
the Magecart attacks, which could lead to further GDPR fines.

Researchers at RiskIQ in 2018 uncovered evidence that the Inbenta
attack was not a one-off, but instead indicative of a larger
initiative involving successful breaches of many different third-party
providers, including Inbenta, the SociaPlus social media integration
firm, web analytics companies PushAssist and Annex Cloud, the Clarity
Connect CMS platform and others.

RiskIQ also said that as a result, it found evidence the skimmer was
active on a broader range of Ticketmaster websites than previously
known, including Ticketmaster sites for Ireland, Turkey and New
Zealand, among others.

“When customers handed over their personal details, they expected
Ticketmaster to look after them,” said James Dipple-Johnstone, ICO
deputy commissioner. “But they did not. Ticketmaster should have done
more to reduce the risk of a cyberattack. Its failure to do so meant
that millions of people in the UK and Europe were exposed to potential
fraud.”