Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal

Own your screwups, growls irate watchdog


The Information Commissioner’s Office has fined Ticketmaster £1.25m after the site’s operators failed to spot a Magecart card skimmer infection until after 9 million customers’ details had been slurped by criminals.

The breach began in February 2018 and was not detected until April, when banks realised their customers’ cards were being abused by criminals immediately after they were used for legitimate purchases on Ticketmaster’s website.

Key to the criminals’ success was Ticketmaster’s decision to deploy a Javascript-powered chatbot on its website payment pages, giving criminals an easy way in by compromising the third party’s JS – something the ICO held against Ticketmaster in its decision to award the fine.

Ticketmaster ‘fessed up to world+dog in June that year, and the final damage has now been revealed by the Information Commissioner’s Office (ICO): 9.4m people’s data was “potentially affected” of which 1.5m were in the UK; 66,000 credit cards were compromised and had to be replaced; and Ticketmaster itself doesn’t know how many people were affected between 25 May and 23 June 2018.

Today’s fine only applies to that May-June period, which happens to be after the Data Protection Act 2018 – the UK implementation of the EU’s GDPR – came into force. This allowed the ICO to impose a higher penalty than it could have done under the pre-GDPR legal regime.

James Dipple-Johnstone, a deputy Information Commissioner in charge of the investigation, said in a statement: “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. The £1.25m fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

Ticketmaster remains in denial about its culpability for the breach, telling The Register in a statement: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal today’s announcement.”

Inbenta Technologies supplied a custom Javascript-powered chatbot to Ticketmaster which was compromised by the Magecart operators.

Crucially, for whatever reason, Ticketmaster deployed the chatbot on its payment pages, giving the criminals a way in.

As we reported in 2018, Inbenta told us of Ticketmaster’s deployment of the Javascript in question: “Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”

'Smoking gun' was first spotted by banks

The attack was only spotted in 2018 when alert folk at challenger bank Monzo realised one of their customers’ cards had been compromised after being used on Ticketmaster’s website. The lucky customer had typo’d the card expiry date; the very next day, it was used for a fraudulent transaction but with the same incorrect expiry date, revealing whoever was using it had lifted the details from Ticketmaster. Monzo fronted up Ticketmaster and presented their “smoking gun”, to evident indifference.

“It took Ticketmaster approximately nine weeks from the date of Monzo’s notification of possible fraud involving the Ticketmaster website for Ticketmaster to run a payment through its payment page and monitor the network traffic thereon,” said an incredulous ICO, which noted that it took a random Twitter user explaining why JS on a payments page is a bad thing for the business to wake up and do something about it.

Barclaycard and American Express also noticed suspicious goings-on in April 2018, but Ticketmaster steadfastly denied anything was wrong until May, eventually realising the game was up in June.

“Ticketmaster did not adequately test, assess or evaluate whether the security measures operating between the chat bot and its own payment page were adequate to address the known risks of third party scripts,” said the ICO.

By its own admission, Ticketmaster wasn’t even monitoring how often Inbenta updated its Javascript – in breach of all rules and guidance on JS and payments pages.

Magecart was the attack vector that saw 380,000 people’s credit card details stolen from British Airways.

Credit reference agency Experian has also declared it will appeal against an ICO rap-on-the-knuckles, despite not being fined for wrongfully trading “millions” of people’s data with marketing agencies. ®

Similar topics


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022