Ticketmaster UK Limited – Hacker Attack

Ticketmaster UK Limited – Hacker Attack

Ticketmaster UK Limited received a GDPR fine of 1,392,525 due to a hacker attack on the server. The data was stored by their subcontractor Inbenta. The hackers were able to access credit card information through the chat bot by manipulating it.

From February 2018 to June 23, 2018, hackers managed to extract names and credit card information on a manipulated Ticketmaster payment page. 9.4 million credit card holders are potentially affected. Barclays Bank reported approximately 60,000 compromised credit cards and Monzo Bank exchanged 6,000 cards on suspicion of fraud.

The incident became known by the fact that on April 6, 2018, 50 Monzo Bank customers reported fraudulent transactions with their credit cards. On April 16, 2018, Monzo Ticketmaster pointed out that the Ticketmaster website was the cause of the credit card compromise. Shortly thereafter, other customers such as Barclaycard, Commonwealth Bank Australia, MasterCard and American Express also reported fraud.

Only on May 5, 2018, Ticketmaster commissioned four IT forensics companies to investigate the incidents. On May 9, a notice appeared on Twitter, that infected code was delivered on Inbenta’s website. In the meantime, antivirus programs had also classified the payment page as malicious. Forensic experts have scanned a total of 117 TB of data for malware until June 8, 2018, but could not find anything.

On 22 June, Ticketmaster received a warning from Barclaycard that there are about 37,000 cases of fraud. Only the next day the malicious code was found on the Ticketmaster website. This was found in the Javascript code of the chat bot, which was also included on the payment page. The bot itself was hosted on a subcontractor’s Inbenta server that hackers could penetrate. The chat bot was designed to use all entries in web forms. This allowed the cybercriminals to pick up the entered credit card information via the rigged chat bot.

Article 5 (1) lit. of the GDPR and Article 32 of the GDPR have been violated here.

Entscheidungsdatum:
13.11.2020

Land:
United Kingdom

Art des Verstoßes:
Illegal data processing

Betroffene Datensätze:
9400000

Waren sensible Daten betroffen?:
No

verhängte Geldstrafe:
€ 1,392,525,-

Quelle: