Ticketmaster UK Limited – hacker attack
Ticketmaster UK Limited received a GDPR fine in the amount of 1,392,525 due to a hacking attack on its server. The data was stored at their sub-service provider Inbenta. The hackers were able to access credit card information through the chat bot by manipulating it.
From February 2018 to June 23, 2018, hackers managed to extract names and credit card information on a manipulated Ticketmaster payment page. 9.4 million credit card holders are potentially affected. Barclays Bank reported approximately 60,000 compromised credit cards and Monzo Bank exchanged 6,000 cards on suspicion of fraud.
The incident became known by the fact that on April 6, 2018, 50 Monzo Bank customers reported fraudulent transactions with their credit cards. On April 16, 2018, Monzo Ticketmaster pointed out that the Ticketmaster website was the cause of the credit card compromise. Shortly thereafter, other customers such as Barclaycard, Commonwealth Bank Australia, MasterCard and American Express also reported fraud.
Only on May 5, 2018, Ticketmaster commissioned four IT forensics companies to investigate the incidents. On May 9, a notice appeared on Twitter, that infected code was delivered on Inbenta’s website. In the meantime, antivirus programs had also classified the payment page as malicious. Forensic experts have scanned a total of 117 TB of data for malware until June 8, 2018, but could not find anything.
On 22 June, Ticketmaster received a warning from Barclaycard that there are about 37,000 cases of fraud. Only the next day the malicious code was found on the Ticketmaster website. This was found in the Javascript code of the chat bot, which was also included on the payment page. The bot itself was hosted on a subcontractor’s Inbenta server that hackers could penetrate. The chat bot was designed to use all entries in web forms. This allowed the cybercriminals to pick up the entered credit card information via the rigged chat bot.
It was here Art. 5 para. 1 lit. of the GDPR as well as Art. 32 GDPR violated.
Entscheidungsdatum:
13.11.2020
Land:
Great Britain
Art des Verstoßes:
Illegal data processing
Betroffene Datensätze:
9400000
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 1,392,525,-
Violation of GDPR Paragraph:
32. Security of processing
5. Principles relating to personal data processing
Quelle:
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/11/ico-fines-ticketmaster-uk-limited-125million-for-failing-to-protect-customers-payment-details/