James Castro-Edwards reviews why the ICO fined Ticketmaster and suggest some lessons to be learnt by other businesses.
In November, the ICO fined Ticketmaster £1.25 million for failing to keep its customers' personal data secure, in breach of the General Data Protection Regulation (GDPR). Ticketmaster's failure to put appropriate security measures in place resulted in the personal data of 9.4 million of its European customers potentially being affected (1.5 million of which were in the UK). In addition, 60,000 Barclays Bank card details were reportedly compromised, and Monzo Bank confirmed that it had to replace 6,000 cards as a result of the fraud. Ticketmaster received approximately 997 complaints from customers of financial loss and/or emotional distress.
The data breach
Ticketmaster had installed a chat-bot on its website, to enhance its customers' experience. The chat bot was designed to interpret users' questions and direct them to relevant help articles or information. It was provided by a third party, Inbenta Technologies, Inc., which developed the bot specifically for Ticketmaster. The code was hosted on Inbenta servers. Ticketmaster took the decision to include the chat bot on its payments page which, according to Inbenta, the code had not been intended for as it was a potential security risk.
From around mid-April 2018 onwards, various card issuers, including Monzo Bank and Barclaycard, informed Ticketmaster that a number of their account holders had experienced suspicious or fraudulent activity. All the affected cardholders had used the Ticketmaster website. Several Twitter users also tweeted about malicious code that they had identified on the Ticketmaster site. However, Ticketmaster's initial investigation was unable to identify the source of the breach. In June, Barclaycard informed Ticketmaster of around 37,000 instances of known fraud affecting its debit and credit card holders, all of whom had used the Ticketmaster website. This prompted Ticketmaster to notify the ICO and to carry out further investigations, following which it was able to identify the malicious code.
Ticketmaster's response to the incident
In the course of the ICO investigation, Ticketmaster contended that the chat bot had not been deployed on the payment page for the purpose of collecting cardholders' data. Instead, it had been implemented in order to provide customers with quick access to support as they used the website. Since the bot was not intended to store, transmit or process cardholder data, Ticketmaster claimed that it was not subject to the Payment Card Information Data Security Standard ('PCI-DSS').
However, the PCI-DSS provided that "the PCI-DSS security requirements apply to all system components included in or connected to the cardholder data environment." Accordingly, the chat bot, when configured on a payment page, fell within the scope of the term "system components". As such, the bot should have been subject to the PCI-DSS security requirements, regardless of whether or not it was intended or expected to process payment card information.
Ticketmaster submitted that it had included in the engagement contract Inbenta's undertaking that the chat bot would remain free from malware. It also claimed that Inbenta was aware that the bot would be included on the payment page. Ticketmaster further asserted that it could not have foreseen the access by criminals to its customers' personal data via a third-party software provider. Instead, Ticketmaster contended that it was the 'victim of a novel form of criminal attack' and that it was Inbenta's failings that had caused the incident.
The ICO's findings
The ICO concluded that Ticketmaster had failed to process personal data in a manner that ensured appropriate security. In particular, Ticketmaster had failed to put in place appropriate measures to avoid the risk of third-party scripts from infecting the chat bot code on the payment page. It should have ensured that only authorised changes were made to the website pages that processed personal data, including the payment pages. Ticketmaster should also have had a process for regular testing, assessing and evaluating the effectiveness of its technical and organisational security measures. Prior to the attack, inserting third party scripts to a website or chat bot had, for some time, been a widely known security risk that had been discussed in a number of publications. Ticketmaster ought reasonably to have known about the risk and taken it into account when implementing its technical and organisational security measures.
The ICO observed that there were a range of technical measures available that Ticketmaster could have taken to mitigate or remove the risk of a third party script being inserted to the chat bot. In particular, Ticketmaster could have chosen not to implement the chat bot on the payments page of its website. Prior to the breach, it was well known that hackers frequently direct their activities towards less secure, third party suppliers to organisations, referred to as 'supply chain attacks'. The potential gains criminals can make from stolen payment card information are high in value. Accordingly, Ticketmaster ought reasonably to have been aware of the high likelihood of an attack on its payments page.
The ICO found that Ticketmaster should have addressed the security of the Inbenta chat bot; the implementation of the chat bot into its own infrastructure; and the ongoing verification that an acceptable level of security was maintained. However, Ticketmaster had failed to do so, despite having been alerted to a potential security breach by the card issuers and Twitter users. Ticketmaster implemented the chat bot on its website without sufficient regard to security, not least since it did not need to be included on the payment page at all. Nor did Ticketmaster sufficiently test, assess or evaluate the security measures between the chat bot and its payments page once it had been implemented.
How companies can avoid the same fate?
Among other things, the GDPR obliges organisations to implement appropriate technical and organisational security measures to ensure that personal data are processed securely. Those measures must be proportionate to the risk; an organisation that processes sensitive information such as payment card details must conform to a higher standard of care. If it fails to do so, it risks heavy penalties.
The ICO would expect a documented risk assessment prior to the deployment of any new technology that potentially affects the processing of personal data, such as a chat bot. It would also expect existing security measures to undergo periodic review. The GDPR requires not just technical but organisational security measures, which include considerations such as training, awareness, and management. A failure by a business to recognise and respond to potential breaches in a timely manner may be due to insufficient organisational security measures. This could be taken as an aggravating factor in the event of an ICO investigation.
Businesses that appoint third parties to process personal data on their behalf are subject to additional obligations under the GDPR. To minimise the risk of supply chain attacks, they may only use service providers that give sufficient guarantees around security and the parties must be bound by a contract that incorporates a number of specific, detailed provisions that are prescribed by the GDPR.
Organisations that handle sensitive information such as payment card information should take all reasonable steps to consider the risks they face and take appropriate steps to avoid, or at least mitigate, those risks.
James Castro-Edwards is a solicitor specialising in data protection. He advises domestic and multinational organisations, including FTSE 100 and Fortune 100 companies, on a broad range of data protection issues. As well as providing legal advice, James has developed and delivered innovative data protection training programmes, including a data protection officer training program that was accredited by a European government and regularly provides data protection content for The Law Society. In addition, he wrote The Law Society text book on the GDPR, titled “EU General Data Protection Regulation: A Guide To The New Law