Ticketmaster UK Limited – Hacker Attack
Ticketmaster UK Limited received a GDPR fine of 1,392,525 due to a hacker attack on the server. The data was stored by their subcontractor Inbenta. The hackers were able to access credit card information through the chat bot by manipulating it.
From February 2018 to June 23, 2018, hackers managed to extract names and credit card information on a manipulated Ticketmaster payment page. 9.4 million credit card holders are potentially affected. Barclays Bank reported approximately 60,000 compromised credit cards and Monzo Bank exchanged 6,000 cards on suspicion of fraud.
The incident became known by the fact that on April 6, 2018, 50 Monzo Bank customers reported fraudulent transactions with their credit cards. On April 16, 2018, Monzo Ticketmaster pointed out that the Ticketmaster website was the cause of the credit card compromise. Shortly thereafter, other customers such as Barclaycard, Commonwealth Bank Australia, MasterCard and American Express also reported fraud.
Only on May 5, 2018, Ticketmaster commissioned four IT forensics companies to investigate the incidents. On May 9, a notice appeared on Twitter, that infected code was delivered on Inbenta’s website. In the meantime, antivirus programs had also classified the payment page as malicious. Forensic experts have scanned a total of 117 TB of data for malware until June 8, 2018, but could not find anything.
Article 5 (1) lit. of the GDPR and Article 32 of the GDPR have been violated here.
Type of Issue:
Illegal data processing
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
32. Security of processing
5. Principles relating to personal data processing