An analysis of the Monetary Penalty Notice issued by the Information Commissioner’s Office to Ticketmaster UK Limited dated 13 November 2020

An analysis of the Monetary Penalty Notice issued by the Information Commissioner’s Office to Ticketmaster UK Limited dated 13 November 2020

On 13 November 2020, the ICO issued Ticketmaster with a MPN, fining the ticket sales and distribution company £1.25 million for breaches of Articles 5(1)(f) and 32 GDPR.

Introduction

On 13 November 2020, the Information Commissioner’s Office (the “ICO”) issued Ticketmaster UK Limited (“Ticketmaster”) with a MPN, fining the ticket sales and distribution company £1.25 million for breaches of Articles 5(1)(f) and 32 GDPR. The breaches related to a cyber-attack which took place in the first half of 2018 and compromised the personal data of up to 9.4 million customers.

The data breach began on 10 February 2018, however, the ICO’s findings are confined only to the period following the implementation of the GDPR: 25 May 2018 to 23 June 2018 (the “Relevant Period”).

This represents the third high profile fine issued by the ICO in the space of a month, following the £20 million penalty imposed on BA on 16 October 2020 and the £18.4 million penalty imposed on Marriott on 30 October 2020. All three fines relate to breaches of Articles 5(1)(f) and 32 GDPR, highlighting the ICO’s willingness to pursue enforcement action where organisations fail to implement "appropriate technical and organisational measures".

As with the BA and Marriott MPNs, the Ticketmaster MPN contributes to the developing jurisprudence available to organisations on what constitutes "appropriate technical and organisational measures" for data controllers processing significant volumes of personal data, particularly payment-related data.

Continuing the trend of reductions as between the fine proposed by the ICO in a Notice of Intent (“NOI”) and the final figure reached in the MPN, Ticketmaster’s penalty was reduced from the £1.5m figure proposed in the NOI to £1.25 million; a much less significant reduction than those made in relation to BA and Marriott in proportionate terms.

It is also worth noting that, like the BA data breach, the Ticketmaster breach arose from issues relating to third parties who were involved in Ticketmaster's digital supply chain. As in BA's case, the ICO was entirely unreceptive to Ticketmaster's representations that this fact (and the fact that it had been targeted by malign third parties) in any way obviated its responsibilities as data controller.

Ticketmaster has indicated that it intends to appeal the MPN to the First-tier Tribunal.

Background

The data breach

In summary, the facts of the data breach are as follows:

  • Ticketmaster installed a chatbot to its payment page. The chatbot was hosted by Inbenta Technologies (“Inbenta”), an external third party. The JavaScript for the chatbot was hosted on the Inbenta server;
  • An unauthorised third party inserted a malicious code into JavaScript for the Inbenta chatbot, enabling it to “scrape” personal data submitted on the Ticketmaster payment page. The code “scraped” predominantly financial data, including names, payment card numbers, expiry dates and CVV numbers;
  • Inbenta was made aware of a potential compromise to its code from as early as 20 February 2018;
  • Monzo received a number of reports from its customers regarding fraudulent activity on their accounts. Monzo’s investigation of the fraudulent activity revealed that a high percentage of the customers affected had previously shopped at Ticketmaster. Throughout April 2018, Monzo reported the fraudulent activity to Ticketmaster. Monzo’s report provided details regarding the cards that had been compromised and further evidence that indicated that Ticketmaster was, in Monzo's view incontrovertibly, the source of the breach;
  • Towards the end of April 2018, Ticketmaster received further notifications relating to suspected fraudulent transactions by the Commonwealth Bank of Australia, Barclays, MasterCard and American Express;
  • At the beginning of May 2018, Ticketmaster engaged an incident response team (the “Incident Response Team”), consisting of four third party forensic firms, to investigate reports of fraud relating to Ticketmaster’s Australian website (but not other aspects of its business);
  • Throughout May 2018, Ticketmaster received a number of reports from individuals (including Twitter users) that its website had been compromised;
  • At the beginning of June 2018, the Incident Response Team’s investigation was extended to cover all Ticketmaster domains;
  • The Incident Response Team notified Ticketmaster that it had not found any indication of malware;
  • On 22 June 2018, Barclaycard reported 37,000 instances of known fraud to Ticketmaster. Ticketmaster claimed that this was the date from which it was on notice of the data breach;
  • Malicious code on Ticketmaster’s website was identified at around 13:00 on 23 June 2018. The majority of that code was fully disabled on that same day;
  • Ticketmaster reported the data breach to the ICO at 23:14 on 23 June 2018, some 27 hours after, on Ticketmaster's case, it was on notice of the breach, but some months after it was first made aware of issues in April 2018. Its notification addressed its delay in reporting as follows: “While we have been notified of a possible compromise, because there has been no confirmation of a breach, there has been no delay in reporting”;1
  • All potentially impacted data subjects were informed of the data breach by an email sent by Ticketmaster on 28 June 2018; and
  • Ticketmaster sent an updated data breach notification to the ICO on 29 June 2018.

The ICO’s regulatory response

The ICO commenced its investigation shortly thereafter. The NOI was issued to Ticketmaster on 7 February 2020, in which a penalty of £1.5 million was proposed.

On 7 April 2020, Ticketmaster provided its first set of representations in response to the NOI:

  • Ticketmaster challenged the ICO’s findings, stating that they rested “on the application of an unduly high security standard, well beyond that which is typically practised in the online service industry and that which is required under Articles 5(1)(f) and 32 GDPR2.
  • Ticketmaster asserted that the security measures that it had adopted were “reasonable, proportionate and appropriate, given the risk-landscape faced by Ticketmaster at the time3.
  • Further, Ticketmaster claimed to be the “victim of a novel form of criminal attack4. It also highlighted the fact that the JavaScript software which was attacked was “authored and served by a trusted third party software provider”, such provider [Inbenta] having contracted with Ticketmaster that the chatbot would remain free of all malware.

Taken together, Ticketmaster argued that these factors meant that the risk “was not something that could reasonably have been foreseen by Ticketmaster5.

Ticketmaster subsequently made two further sets of representations in response to the NOI.

In addition, the ICO afforded Ticketmaster the opportunity to make financial representations regarding the impact that Covid-19 had on its business6.

The basis on which the fine was calculated

As with the BA and Marriott MPNs, the Ticketmaster MPN analyses the penalty in line with the five-step approach in the ICO's Regulatory Action Policy (“RAP”)7.

In calculating the penalty figure in accordance with the RAP, the Commissioner relied on the following factors:

  • The fact that Ticketmaster did not derive any financial benefit from the breach8;
  • The “significant contravention9 of the GDPR which the breach constituted;
  • The significant number of data subjects affected: 9.4 million customers, of which approximately 1.5 million were UK customers10;
  • The length of time that it took Ticketmaster to discover the breach and its ineffective response to various reports raised by numerous banks attempting to alert Ticketmaster to the breach (as noted above, Monzo and other third parties had informed Ticketmaster of a potential breach as early as February 2018)11;
  • The “ineffective” instructions given by Ticketmaster to the Incident Response Team which limited “the scope and depth of the investigations” carried out by the Incident Response Team12;
  • Ticketmaster’s failure to act in accordance with the PCI-DSS standard13;
  • The negligent (but not intentional) nature of the breach14. The Commissioner noting in this regard: "Ticketmaster displayed a lack of consideration to protect personal data and was negligent for the purposes of Article 83(2)(b). It was negligent of Ticketmaster to presume, without adequate oversight or technical measures, that Inbenta could provide an appropriate level of security in respect of the processing of payment cards. In particular, Ticketmaster's breach of the PCI-DSS standard was negligent for the purposes of Article 83(2)(b)"15;
  • The fact that Ticketmaster was found to be “entirely responsible for the security of its systems and the protection of personal data16.
  • The mitigating steps taken by Ticketmaster to limit damage suffered by data subjects, including arranging for 12 months of credit monitoring for affected individuals17;
  • The absence of any previous infringements on Ticketmaster’s part18; and
  • The full co-operation of Ticketmaster with the ICO, save for the provision of certain financial information19.

Having regard to the aforementioned factors, the Commissioner considered that a penalty of £1.5 million was appropriate.

The mitigating factors considered by the Commissioner in deciding on the amount by which that figure should be reduced included:

  • Financial hardship: the Commissioner noted that she had “had regard to the impact of Covid-19 on Ticketmaster and the continuing uncertainty resulting therefrom”. More specifically, she acknowledged that Ticketmaster were forced to cancel or reschedule nearly all events in the final three quarters of 202020;
  • Remedial steps taken by Ticketmaster which included forced password resets across all of its domains21 and the creation of a website for customers and the media to obtain information about the breach22; and
  • The fact that Ticketmaster had incurred “considerable” costs in relation to the breach23.

In light of these factors, and “having regard to the exceptional circumstances prevailing as a consequence of the Covid-19 pandemic24, the initial figure of £1.5 million was reduced to £1.25 million. This “exceptional” reduction was stressed to be a result of the “Commissioner’s regulatory approach during the Covid-19 pandemic25.

By contrast to the BA and Marriott MPNs, it is not entirely clear from the MPN the extent to which the £250,000 reduction relates solely to the impact of Covid-19 on Ticketmaster’s financial position, or whether the other mitigating factors set out above also contributed to this reduction. Nevertheless, the Ticketmaster MPN continues the trend of reductions from the fines proposed by the ICO in the NOI and the final figure reached in the MPN, albeit, in this case, the reduction was much less significant – in proportionate terms - than those made in respect of BA and Marriott.

However, it is worth noting that the Commissioner drew attention to the fact that Ticketmaster failed to answer questions posed by the ICO in relation to costs, and to provide general information as to its financial position and the government support it was receiving26. It is not clear to what extent, if at all, the amount by which the overall reduction which it might have received was reduced as a result of these omissions.

It is also important to note that, whilst the fine is far lower in absolute terms than that faced by BA and Marriott, by reference to overall turnover, it is substantially higher (1.2% by comparison with 0.25% (BA) and 0.1% (Marriott)). Again, it is not clear why this is the case. However, it could potentially reflect, amongst other things, the fact that a "significant number of affected data subjects reported having suffered financial loss and/or emotional distress as a result of the breach", and Ticketmaster's dilatory approach after third parties had drawn the breach to its attention.

Appropriate technical/organisational measures

In reaching the conclusion that “Ticketmaster failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR27, the Commissioner focussed principally on the fact that Ticketmaster “had not put in place appropriate measures to negate the risk from the danger of third party scripts infecting the chatbot on the payment page of Ticketmaster’s website28.

The Commissioner made explicitly clear that “[i]mplementing third party JavaScripts into a website or chatbot has, for some time, been a known security risk29. This risk is magnified when JavaScripts are implemented into certain parts of a website, such as the payment page. The Commissioner made reference to numerous industry publications which, in her words, “demonstrate that the risk from third party scripts was well-established within the cyber and payment card security industry30 in this regard.

The Commissioner also made it clear that Ticketmaster should also have been aware that “attackers frequently target less secure third party organisations supplying services to a primary organisation31 (i.e. supply chain attacks). In light of these factors, the Commissioner noted that Ticketmaster “ought to have been aware that the severity and likelihood of an attack to obtain personal data entered on the payment page of [its] website were both high32. In her view, Ticketmaster showed “very limited knowledge at the date of the Incident of the risk[s]33.

The Commissioner noted that three “objectives” should have been addressed by Ticketmaster:

1  Undertaking appropriate checks to ensure the security of the Inbenta chatbot34

The Commissioner found that:

  • As part of its Third Party Vendor (“TPV”) Program, Ticketmaster was required to conduct periodic security vetting of any third party vendors. The Commissioner found that, at the point in time in which the data breach started, the last periodic security vetting of Inbenta had been completed in 201335.
  • The ICO placed “little weight” on Inbenta’s ISO 27001 certification which Ticketmaster had relied upon as evidence that the chatbot was secure36.
  • Although the absence of a business requirement document or similar specification is not always indicative of a breach of the GDPR, the ICO noted that Ticketmaster failed to provide evidence that Inbenta was obliged to design the chatbot for use on the Ticketmaster payment page, and this was “illustrative of Ticketmaster’s failure to secure the chatbot appropriately37.
  • Ticketmaster failed to implement a “layered approach to security”38 which would have been appropriate in this case owing to the “clear risk of third party scripts within a payment page, and the scale of personal data, including payment card data, processed on the payment page39.
  • Despite receiving a number of reports from banks regarding the fraud and its suspected cause as early as 6 April 2018, Ticketmaster failed to conduct an initial check of the integrity of the chatbot. Instead, “Ticketmaster continued to place undue reliance on Inbenta’s contractual security obligations and failed to take sufficient and timely steps of its own to address the security of the chatbot”40.

2  The implementation of the Inbenta chatbot into Ticketmaster’s own infrastructure41

The Commissioner listed the following proportionate steps that could have been taken by Ticketmaster to implement the Inbenta chatbot into its own infrastructure:

  • Deciding, from the outset, that the chatbot should not be included on its payment page;
  • Conducting a risk assessment before installing third party scripts to the payment page; and
  • Implementing technical measures on its payment page to address the risk of third party scripts, including, for example, subresource integrity (“SRI”)42. The Commissioner later noted that SRI is “an appropriate measure with regard to the state of the art” and that she did not consider that “the mere fact that JavaScript may be used as a dynamic scripting language is, of itself, a proper reason not to implement SRI43. If for any reason SRI could not have been implemented, the Commissioner would have expected Ticketmaster to explain why this was the case, and to show that it had considered other measures, such as CSP, iFrames and the local hosting of the script44.
  • The Commissioner did not accept that the mere existence of the Inbenta contract: "offered an alternative appropriate level of security comparable with solutions such as SRI and, iFrames"45.

3  Undertaking on-going verification that security was being achieved to an acceptable level46

The Commissioner found that Ticketmaster had:

  • failed to show that it had used key performance indicators in order to monitor the ongoing security of the chatbot47;
  • failed to show that it reviewed and monitored the chatbot in such a way that would have “detected and mitigated the risk of malicious code changes48;
  • admitted that, prior to the data breach, it did not require Inbenta to obtain authorisation before making changes to the script of the chatbot49;
  • failed to adequately test, assess or evaluate the security measures in relation to the chatbot: for example, there was no adequate risk assessment in place; SRI had not been implemented prior to the data breach; and it did not use a content security policy prior to the data breach50; and
  • did not have a method in place to test the security measures between the chatbot and the payment page (the Commissioner did not, however, expect Ticketmaster to undertake white box testing of the proprietary chatbot source code51).

Notification

As readers will be aware, Article 33 GDPR required Ticketmaster to notify the Commissioner “without undue delay and, where feasible, not later than 72 hours” after becoming aware of the breach.

The NOI set out the ICO's provisional view that Ticketmaster had breached Article 33 GDPR in failing to notify the ICO of the breach sufficiently promptly.

However, the MPN does not contain such a determination, as it appears the Commissioner considered a number of Ticketmaster’s representations in this regard persuasive, namely that the Commissioner:

  • had applied: “an incorrect standard for becoming “aware” of a breach”52;
  • had not considered: “the significance of the Barclaycard notification that only occurred on 22 June 2018, or its resulting shift in investigative focus”53; and
  • had: “rested on incorrect facts and unrealistic assumptions that unfairly second-guess the decisions that Ticketmaster made at the time as to how to direct its investigations”54.

Next steps

Ticketmaster has indicated its intention to appeal the decision. In order to appeal the MPN to the First-tier Tribunal, Ticketmaster must serve a notice of appeal by no later than 11 December 2020. We are not yet aware of whether this has been served.

Comment

Beware of the risks posed by third parties

Like the BA data breach, the Ticketmaster breach arose from issues relating to third parties who were involved in Ticketmaster’s digital supply chain. As in BA’s case, the ICO was entirely unreceptive to Ticketmaster’s representations that this fact (and the fact that it had been targeted by malign third parties) in any way obviated its responsibilities as data controller.

The Commissioner also gave short shrift to Ticketmaster’s representations regarding its reliance on contractual terms obliging Inbenta to ensure that software it supplied to Ticketmaster would be free from malware and to Ticketmaster’s allegations that Inbenta had made certain misrepresentations in this regard55.

Data controllers would therefore be well-advised to ensure that they take appropriate steps to mitigate the losses arising from such breaches, for example, by obtaining sufficiently wide-ranging indemnities from companies in their digital supply chain.

Chatbots and payment pages: a recipe for disaster

Perhaps the most obvious, and basic, point to emerge from the MPN is this: if at all possible, do not use a chatbot on the payment page of a website. As the Commissioner makes clear: "a chat bot is not strictly necessary for the service of taking a payment, [and] common industry guidance and standards did not recommend its inclusion on the payment page of a website."56

Interaction with the regulator

Whilst the reduction to the fine originally proposed in the present case was significantly less than in the BA and Marriott cases, the Ticketmaster MPN nevertheless once again highlights the value of submitting detailed representations to the ICO. Amongst other things, the MPN expressly acknowledges that Ticketmaster’s representations had a part to play in the ICO’s volte face in relation to its preliminary finding of a breach of Article 33 GDPR, and it was noted that the broader representations “resulted in changes and clarifications to the form and content of the draft decision57.

The MPN also highlights the importance of total co-operation with the ICO. The Commissioner’s unfavourable comments regarding Ticketmaster’s failure to provide complete financial information suggest – and it is no more than a suggestion – that the reduction may have been greater (albeit perhaps not by very much) had Ticketmaster been more forthcoming with this additional information.

Civil claims against Ticketmaster

It is understood that proceedings have already been issued against Ticketmaster on behalf of affected data subjects, which may well lead Ticketmaster to find itself facing liabilities far in excess of the penalty imposed by the ICO58. Please refer to our analysis of the BA MPN for a more in-depth analysis on civil claims in this context.  

 
 

1 Paragraph 3.27.3 of the MPN.

2 Paragraph 5.5.4 of the MPN.

3 Paragraph 5.5.1 of the MPN.

4 Paragraph 5.5.3 of the MPN.

5 Paragraph 5.5.3 of the MPN.

6 As noted in our analysis of the BA and Marriott MPNs, at law Ticketmaster was limited to making a single set of representations. Whilst not explicitly set out in the MPN, we expect that the Commissioner permitted further representations for the same reasons as in relation to BA and Marriott, namely: the complexity of the case; issues arising from Ticketmaster’s initial representations; and “the fact that this is one of the first major decisions made under the new EU data protection regime”.

7 Namely:

  • Step 1. An ‘initial element’ removing any financial gain from the breach.
  • Step 2. Adding in an element to censure the breach based on its scale and severity, taking into account the considerations identified at section 155(2)-(4) of the DPA.
  • Step 3. Adding in an element to reflect any aggravating factors.
  • Step 4. Adding in an amount for deterrent effect to others.
  • Step 5. Reducing the amount (save that in the initial element) to reflect any mitigating factors, including ability to pay (financial hardship).

8 Paragraph 7.7 of the MPN.

9 Paragraph 7.9 of the MPN.

10 Paragraph 7.10 of the MPN.

11 Paragraph 7.11 of the MPN.

12 Paragraph 7.12 of the MPN.

13 Paragraphs 3.43 – 3.52 and 7.14 of the MPN. In particular, it was found that: "[t]he Ticketmaster/Inbenta contract did not include any contractual provisions specifically in relation to the payment environment. Notwithstanding, in its Representations and the Comments, Ticketmaster asserts that it was entitled to rely on Inbenta to provide a safe chat bot on account of Inbenta being "a reputable specialist software company that passed Ticketmaster's vetting procedures ... [which had] provided assurances about the safety of its software and services. Those assurances were reflected in contractual commitments imposed on Inbenta" (§7 of the Comments)."

14 Paragraph 7.15 of the MPN.

15 Paragraph 7.15 of the MPN.

16 Paragraph 7.26 of the MPN.

17 Paragraph 7.21 of the MPN.

18 Paragraph 7.27 of the MPN.

19 Paragraph 7.28 of the MPN.

20 Paragraph 7.38 of the MPN.

21 Paragraph 7.34.3 of the MPN.

22 Paragraph 7.34.5 of the MPN.

23 Paragraph 7.34.6 of the MPN. These costs including: "£3,989,000.00 of legal costs were attributable to the Incident" as at the date of the MPN.

24 Paragraph 7.40 of the MPN.

25 Paragraph 7.40.3 of the MPN.

26 Paragraph 7.39 of the MPN.

27 Paragraph 6.1 of the MPN.

28 Paragraph 6.21 of the MPN.

29 Paragraph 6.15 of the MPN.

30 Paragraph 6.16 of the MPN. The relevant publications – with links to the full text – are referenced in paragraphs 6.16.1-6.16.12 of the MPN.

31 Paragraph 6.19 of the MPN.

32 Paragraph 6.21 of the MPN.

33 Paragraph 6.26 of the MPN.

34 Paragraph 6.22 of the MPN.

35 Paragraph 6.22.2 of the MPN.

36 Paragraph 6.22.3 of the MPN.

37 Paragraph 6.22.4 of the MPN. Inbenta's position is, as set out paragraph 3.33 of the MPN, "... The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what it was built for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat."

38 Paragraph 6.22.6 of the MPN.

39 Paragraph 6.22.6 of the MPN.

40 Paragraph 6.22.9 of the MPN.

41 Paragraph 6.23 of the MPN.

42 Paragraph 6.23.3 of the MPN.

43 Paragraph 6.24.3.6 of the MPN.

44 Paragraph 6.24.3.12 of the MPN.

45 Paragraph 6.24.3.14 of the MPN.

46 Paragraph 6.24 of the MPN.

47 Paragraph 6.23.1 of the MPN.

48 Paragraph 6.24.1 of the MPN.

49 Paragraph 6.24.2 of the MPN.

50 Paragraph 6.24.3 of the MPN.

51 Paragraph 6.24.3.16 of the MPN.

52 Paragraph 6.28 of the MPN.

53 Paragraph 6.28 of the MPN.

54 Paragraph 6.28 of the MPN.

55 Paragraph 3.34 of the MPN.

56 Paragraph 6.23.1 of the MPN.

57 Paragraph 5.7 of the MPN.

58 These proceedings could give rise to a liability of approximately £1.125 billion if each of the affected data subjects based in the UK pursued a claim against Ticketmaster and were awarded £750 in damages to (in line with the award of damages for distress under section 13(2) Data Protection Act 1998 in Halliday v Creation Consumer Finance Limited [2013] EWCA Civ 333 (n.b. this was an award made in circumstances where the Court was presented with at least some evidence that Mr Halliday had, in fact, suffered distress).