The UK’s Information Commissioner’s Officer confirmed on Friday that it was fining Ticketmaster £1.25 million in relation to a data breach of the ticketing firm’s website back in 2018.
The UK’s Information Commissioner’s Officer confirmed on Friday that it was fining Ticketmaster £1.25 million in relation to a data breach of the ticketing firm’s website back in 2018.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The ICO’s decision is evidence of the changing times. Data breaches can cost millions in damages and fines, as well as have a devastating impact on customer trust. In fact, our research has studied the costs, lawsuits and fines associated with the data breach that affected TicketMaster in 2018 and compared it to the bounty prices associated with the third-party JavaScript vulnerability that was exploited in that breach. Had the vulnerability been identified and responsibly disclosed by hackers as part of a bug bounty program, the organisations would have only had to pay out between £4,149 – £8,328 based on average bug bounty prices. Surely this is a small price to may when taking into account the fine now facing the company.
Attack surfaces have increased as we continue to digitally transform and adapt, meaning it will always be a challenge trying to stay ahead of cybercriminals. To remain secure, organisations must identify where they are most vulnerable. By running bug bounty programs and using hackers to find the holes in their security, our customers have safely resolved over 180,000 vulnerabilities before a breach could occur. Through just an estimate of the pay-outs hackers have received for reporting similar vulnerabilities, our research highlights how companies can save millions and reduce risk by being proactive when it comes to identifying and patching their vulnerabilities.
The ICO’s penalty is a step in the right direction for cybersecurity accountability, and any fine issued must have a dissuasive effect and set clear precedents that breaching important data protection laws will be punished.
The Ticketmaster data breach was a completely avoidable incident that impacted 1.5 million UK customers alone. Despite investigations in April 2018, Ticketmaster failed to identify the coding vulnerability for some 9 weeks thereafter. This vulnerability should not have been there in the first place, let alone neglected for so long despite the problem being raised.
It should not be the case of a third-party (in this case, a bank) flagging data breaches to a business, nor is it acceptable for Ticketmaster to simply shift the blame to Inbenta as the providers of the chatbot service. The buck firmly stops with Ticketmaster; complacency is never an acceptable excuse. Corporate responsibility when it comes to data protection must always be a top priority.
Importantly, consumers have every right to pursue Ticketmaster for compensation as part of a Group Action claim, and my firm continues to offer No Win, No Fee legal support to those affected. Compensation action serves to ensure justice for the victims as well as increasing the punishment for offenders, which is hugely important given that we continue to see worryingly high numbers of data breach events that affect millions of people in the UK.