Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal

Own your screwups, growls irate watchdog


The Information Commissioner’s Office has fined Ticketmaster £1.25m after the site’s operators failed to spot a Magecart card skimmer infection until after 9 million customers’ details had been slurped by criminals.

The breach began in February 2018 and was not detected until April, when banks realised their customers’ cards were being abused by criminals immediately after they were used for legitimate purchases on Ticketmaster’s website.

Key to the criminals’ success was Ticketmaster’s decision to deploy a Javascript-powered chatbot on its website payment pages, giving criminals an easy way in by compromising the third party’s JS – something the ICO held against Ticketmaster in its decision to award the fine.

Ticketmaster ‘fessed up to world+dog in June that year, and the final damage has now been revealed by the Information Commissioner’s Office (ICO): 9.4m people’s data was “potentially affected” of which 1.5m were in the UK; 66,000 credit cards were compromised and had to be replaced; and Ticketmaster itself doesn’t know how many people were affected between 25 May and 23 June 2018.

Today’s fine only applies to that May-June period, which happens to be after the Data Protection Act 2018 – the UK implementation of the EU’s GDPR – came into force. This allowed the ICO to impose a higher penalty than it could have done under the pre-GDPR legal regime.

James Dipple-Johnstone, a deputy Information Commissioner in charge of the investigation, said in a statement: “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25m fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

Ticketmaster remains in denial about its culpability for the breach, telling The Register in a statement: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal today’s announcement.”

Inbenta Technologies supplied a custom Javascript-powered chatbot to Ticketmaster which was compromised by the Magecart operators.

Crucially, for whatever reason, Ticketmaster deployed the chatbot on its payment pages, giving the criminals a way in.

As we reported in 2018, Inbenta told us of Ticketmaster’s deployment of the Javascript in question: “Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”

'Smoking gun' was first spotted by banks

The attack was only spotted in 2018 when alert folk at challenger bank Monzo realised one of their customers’ cards had been compromised after being used on Ticketmaster’s website. The lucky customer had typo’d the card expiry date; the very next day, it was used for a fraudulent transaction but with the same incorrect expiry date, revealing whoever was using it had lifted the details from Ticketmaster. Monzo fronted up Ticketmaster and presented their “smoking gun”, to evident indifference.

“It took Ticketmaster approximately nine weeks from the date of Monzo’s notification of possible fraud involving the Ticketmaster website for Ticketmaster to run a payment through its payment page and monitor the network traffic thereon,” said an incredulous ICO, which noted that it took a random Twitter user explaining why JS on a payments page is a bad thing for the business to wake up and do something about it.

Barclaycard and American Express also noticed suspicious goings-on in April 2018, but Ticketmaster steadfastly denied anything was wrong until May, eventually realising the game was up in June.

“Ticketmaster did not adequately test, assess or evaluate whether the security measures operating between the chat bot and its own payment page were adequate to address the known risks of third party scripts,” said the ICO.

By its own admission, Ticketmaster wasn’t even monitoring how often Inbenta updated its Javascript – in breach of all rules and guidance on JS and payments pages.

Magecart was the attack vector that saw 380,000 people’s credit card details stolen from British Airways.

Credit reference agency Experian has also declared it will appeal against an ICO rap-on-the-knuckles, despite not being fined for wrongfully trading “millions” of people’s data with marketing agencies. ®


Biting the hand that feeds IT © 1998–2020