Information Commissioner Office (ICO) fines Ticketmaster for the ticketing platform's failure to secure the customers' data back in 2018. The penalty is worth over $1.65 million.
As reported by the BBC, ICO believes that more than nine million customers in Europe had potentially been harvested and affected by the breach; 1.5 million are based in the United Kingdom.
"Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud," ICO's deputy commissioner James Dipple-Johnstone said.
Ticketmaster is to appeal against the decision, as the ticket sales company reveals in a statement. The company believes that they have tried to offer full cooperation to the ICO following Inbenta Technologies' breach.
How Did It Happen?
The chatbot on Ticketmaster's online payment page, which Inbenta Technologies developed, is said to be the security loophole. Purchases between September 2017 until late June 2018 were the target.
In 2018, cyber-attackers used the bot to harvest customer payment details, leaving more than nine million users exposed. The malicious code revealed all customers' details, including full name, address, billing details, telephone and CVV numbers, and anything Ticketmaster-related.
Magecart, a group of hackers and credit card skimmers, is believed to be behind this operation, as Threat Post reported. The BBC reveals that over 60,000 Barclays bank customers were among the affected. Fortunately, US customers were not affected.
Magecart is an international cyberattack crime syndicate. They were blamed for several operations, including the Forbes magazine subscription scam, Atlanta Hawks fan merchant online store, and hundreds of college campus bookstore.
All the customers who had been attacked were informed and offered them a free 12-month identity monitoring service. Before the attack, Ticketmaster managed to sell over 292 million tickets in 2017.
Several banks had reached out to Ticketmaster about the potential leak, but it took them 'unacceptable' nine weeks to take action.
On behalf of the victims, law firm Keller Lenkner is to pursue legal action against the ticketing company. The perplexing lawsuit is challenging for both, and the law firm accuses Ticketmaster of 'refusing to accept any blame for the data hack.'
Not the Only Company
In the same year, several other companies have also been affected, including British Airways and pharmacy company Doorstep Dispensaree.
The ICO fined $26 million to British Airways, which was the most prominent fine ICO has ever issued. It was dramatically decreased from the original $241 million (£183 million) demand due to the current economic atmosphere in the pandemic period.
It wasn't until two months when a security researcher brought the issue to British Airways and the ICO. Login credentials and payment details of over 500,000 customers were harvested.