Ticketmaster Data Breach Could Equal GDPR Fines in Millions

It was announced this past weekend that Ticketmaster suffered a security breach, which reportedly included personal and payment information for 40,000 users in the United Kingdom. The company can now face millions in fines under the GDPR laws.

Ticketmaster admitted that it had identified malicious software from the customer support product hosted by Inbenta Technologies. This third-party supplier caused the hack, and could have compromised names, addresses, telephone numbers, payment details, and log-in details from Ticketmaster. Users who tried or bought tickets between February and June 23, 2018 in the UK have likely been affected.

BBC  reports that the UK’s National Cyber Security Centre – which is a division of the General Data Protection Regulation (GCHQ) – said it was monitoring the situation. A spokesman added that the NCSC is working with its partners to understand the incident.

According to UK’s The Times, the digital bank Monzo spotted a problem on April 6 when 50 customers got in touch with the bank to report fraudulent transactions on their accounts. The firm’s Financial Crime and Security Team did more investigating and found that 70 percent of affected customers had used their cards with Ticketmaster. Monzo warned Ticketmaster of a possible identity theft problem on April 12, and after Ticketmaster visited Monzo’s offices, they promised to “investigate internally.” Later, the firm told the bank that they did not find any evidence of the breach.

However, Ticketmaster claimed this past weekend that it did not know about the breach until June. Now, the firm could potentially face a hefty fine under the EU’s GDPR laws, which require firms to report data breaches without “unique delay,” and if possible, it should be reported within 72 hours of becoming aware of the incident. The Guardian reported that Ticketmaster “could face questions” about whether it kept the incident quiet.

Monzo outlined the timeline of the Ticketmaster breach.

This is the first disclosure of a major breach which occurred under the new GDPR. The Times said that fines could reach up to €20 million or 4 percent of turnover. Elizabeth Denham, the Information Commissioner, told The Times that since GDPR took effect last month, the office had received “more than a thousand breach reports.”

The incident is under investigation at this time.