The ICO has fined Ticketmaster £1.25 million arising from a breach incident in June 2018 with 9.4 million EEA data subjects potentially affected for breaches under Articles 5 and 32 of the GDPR.
Malicious code had been introduced via the chat bot used on Ticketmaster websites designed to interpret user's questions, to which it automatically identified relevant help articles or information. The chat bot was included on Ticketmaster's payment page which allowed personal data to be scraped by the malicious code including financial data, such as names, payment card numbers, expiry dates and CVV numbers.
The ICO also concluded that the data breach was not intentional or deliberate but that "Ticketmaster displayed a lack of consideration to protect personal data and was negligent for the purposes of Article 83(2)(b)".
This incident highlights the vulnerabilities which can arise from supply chain attacks.
The Information Commissioner’s Office (ICO) has fined Ticketmaster UK Limited £1.25million for failing to keep its customers’ personal data secure.