The Information Commissioner’s Office has fined Ticketmaster £1.25m after the site’s operators failed to spot a Magecart card skimmer infection until after 9 million customers’ details had been slurped by criminals.
The breach began in February 2018 and was not detected until April, when banks realised their customers’ cards were being abused by criminals immediately after they were used for legitimate purchases on Ticketmaster’s website.
Key to the criminals’ success was Ticketmaster’s decision to deploy a Javascript-powered chatbot on its website payment pages, giving criminals an easy way in by compromising the third party’s JS – something the ICO held against Ticketmaster in its decision to award the fine.
Ticketmaster ‘fessed up to world+dog in June that year, and the final damage has now been revealed by the Information Commissioner’s Office (ICO): 9.4m people’s data was “potentially affected” of which 1.5m were in the UK; 66,000 credit cards were compromised and had to be replaced; and Ticketmaster itself doesn’t know how many people were affected between 25 May and 23 June 2018.
Today’s fine only applies to that May-June period, which happens to be after the Data Protection Act 2018 – the UK implementation of the EU’s GDPR – came into force. This allowed the ICO to impose a higher penalty than it could have done under the pre-GDPR legal regime.
[…]
Ticketmaster remains in denial about its culpability for the breach, telling The Register in a statement: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal today’s announcement.”
Inbenta Technologies supplied a custom Javascript-powered chatbot to Ticketmaster which was compromised by the Magecart operators.
Crucially, for whatever reason, Ticketmaster deployed the chatbot on its payment pages, giving the criminals a way in.
As we reported in 2018, Inbenta told us of Ticketmaster’s deployment of the Javascript in question: “Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”
[…]
“It took Ticketmaster approximately nine weeks from the date of Monzo’s notification of possible fraud involving the Ticketmaster website for Ticketmaster to run a payment through its payment page and monitor the network traffic thereon,” said an incredulous ICO, which noted that it took a random Twitter user explaining why JS on a payments page is a bad thing for the business to wake up and do something about it.
Barclaycard and American Express also noticed suspicious goings-on in April 2018, but Ticketmaster steadfastly denied anything was wrong until May, eventually realising the game was up in June.
[…]
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft