We warn businesses that a data protection failing, particularly a personal data security breach, will result in bad publicity, a loss of credibility and ultimately a loss of customers. But it is not always true.
Take for example the case of Ticketmaster. A fine of £1.25 million was handed out to Ticketmaster in November 2020 by the Information Commissioner’s Office (“ICO”) for failing to keep customer personal data secure. A successful cyber attack on the front end of the online payment page collected names, payment card details (including CVV numbers). The security breach potentially affected 9.4 million people across Europe and there is evidence that 60,000 payment cards belonging to customers of Barclays were subjected to fraud on the back of the breach.
The ICO investigation (you can read the report here) found that Ticketmaster had failed to assess the risks involved in using a chat-bot on its payment page; failed to implement appropriate security to manage the risks; and failed to identify the attack in a timely manner. The breach continued over a period of months despite warnings from various banks that customers were reporting fraudulent transactions. The Penalty Notice states that “Ticketmaster have been unable to provide the Commissioner with a breakdown of the individuals affected.” However it had received some 997 complaints alleging financial loss and/or emotional distress.
One of the banks involved, Monzo, produced evidence to Ticketmaster that its website had been the source of a data leak that led to an attempted fraud. A customer used a Monzo bank card to try to purchase tickets via the Ticketmaster website but wrongly entered the expiry date of the card. The transaction failed but the same credentials were later presented by the fraudsters in an attempted fraudulent transaction. Monzo described this as a “smoking gun”, a clear trail back to Ticketmaster. It was not the only evidence. Barclaycard was raising queries in April 2018, likewise the Commonwealth Bank of Australia, MasterCard and American Express. In May there were comments on Twitter that Ticketmaster’s website had been compromised. Still it took until June 2018 for Ticketmaster to identify and stop the leak.
There is a current legal claim against Ticketmaster on behalf of the UK customers affected by the breach. so there may be more financial penalties to come for Ticketmaster. But this case knocks a hole in the premise that companies that fail to protect personal data will suffer a loss of credibility, customer trust and, ultimately, customers as a result. Ticketmaster is often the only way to purchase tickets for events. We accept their incompetence in the same way as we accept the long, involved terms and conditions on websites and cookie consent clauses, because we have no choice if we are to access the services they provide.
Mandy Webster, Data Protection Consulting