The ICO has fined Ticketmaster £1.25 million arising from a breach incident in June 2018 with 9.4 million EEA data subjects potentially affected for breaches under Articles 5 and 32 of the GDPR. 

Malicious code had been introduced via the chat bot used on Ticketmaster websites designed to interpret user's questions, to which it automatically identified relevant help articles or information. The chat bot was included on Ticketmaster's payment page which allowed personal data to be scraped by the malicious code including financial data, such as names, payment card numbers, expiry dates and CVV numbers.

In its decision the ICO highlighted, amongst other things, that Ticketmaster should have been aware of the supply chain risks in implementing third party JavaScripts into a website or chat bot that processes personal data such as payment card data. The ICO said the decision to install the chat bot on the payment page of Ticketmaster's website was an identified failure and gave rise to a risk of a personal data breach.

The ICO also concluded that the data breach was not intentional or deliberate but that "Ticketmaster displayed a lack of consideration to protect personal data and was negligent for the purposes of Article 83(2)(b)".

This incident highlights the vulnerabilities which can arise from supply chain attacks.