fbpx

0151 459 5850

Search
Close this search box.

Ticketmaster Data Breach

THIS ACTION IS NOW CLOSED

In 2022, Ticketmaster settled a data breach group action claim following successful mediation and negotiation. We were the only law firm to actively litigate this case in the UK, and we represented over 1,000 customers in this action. Ticketmaster denied liability for the claims, and the settlement was made on a no-admission basis. 

While we are prohibited from discussing the terms of the settlement, this page explains how the data breach happened, the facts of the case, and the consequences for the affected customers. 

The Ticketmaster Data Breach 

The Ticketmaster data breach happened in 2018 because of a cyberattack perpetrated on software supplied to Ticketmaster by a third party and operated on that third party’s systems and servers. The chatbot, built by Inbenta Technologies, was installed on Ticketmaster’s online payments page.  

By injecting malicious code into the chatbot, cyberhackers were able to skim and steal customer payment information as they made purchases on the Ticketmaster website. The malicious program was subsequently removed, but not before hackers accessed personal and financial details of up to 40,000 Ticketmaster customers in the UK. 

The ICO’s investigation and fine

In 2020, the Information Commissioner’s Office (ICO), which is the UK’s data protection regulator, issued a £1.25 million fine against Ticketmaster. According to the ICO “Ticketmaster failed to process personal data in a manner that ensured appropriate security of the personal data”.  

The ICO’s investigation also found that:  

  • Despite being warned about the possibility of fraudulent transactions relating to its website, Ticketmaster initially failed to find evidence of the personal data breach
  • Around 60,000 Barclays Bank individual card details were compromised, and Monzo Bank replaced around 6,000 cards in relation to Ticketmaster transaction fraud
  • There were several security failures by Ticketmaster, including not putting appropriate measures in place to negate the risk from the danger of third-party scripts infecting the chat bot on the payment page of its website
  • Ticketmaster failed to notify the ICO about the breach without undue delay as it is required to under the GDPR.

Although the breach began in February 2018, the ICO’s penalty only relates to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect. 

Why did people take legal action against Ticketmaster?

Because of the Ticketmaster data breach, many customers were forced to change their bank accounts or credit cards. Some Ticketmaster customers reported fraudulent activity on their credit/bank cards.  Most of the clients we represented in this case suffered multiple fraudulent transactions or experienced distress and/or psychological trauma because of the hack. 

While the Information Commissioner’s Office (ICO) fined Ticketmaster for the breach, this payment was not used to compensate victims. Any money received by the ICO in data breach cases goes to the Treasury. So, the only way Ticketmaster customers could get compensation for the data breach was to take legal action.  

Ticketmaster Data Breach Timeline

  • February 2018 -23 June 2018
    Ticketmaster experienced a data breach incident when some people who bought, or attempted to buy, tickets through Ticketmaster, GetMeIn! and TicketWeb had their personal information compromised in a cyber-attack.
  • 12 April 2018
    Monzo contacted Ticketmaster with concerns over fraudulent activity in customer accounts who’d used Ticketmaster. Ticketmaster’s security team said it would investigate the issue.
  • 16 April 2018
    Monzo provided Ticketmaster evidence that it described as a "smoking gun", and proof that Ticketmaster's website was the source of a personal data breach.
  • 19 April 2018
    The Commonwealth Bank of Australia informed Ticketmaster of suspected fraud on almost 200 accounts that shared Ticketmaster as a common purchase point. Barclaycard, MasterCard and American Express also reported suggestions of fraud to Ticketmaster around this time.

    Ticketmaster published a statement informing Monzo that an internal investigation had found no evidence of a personal data breach. Ticketmaster also said that no other banks were reporting similar patterns of fraudulent transactions. Monzo began proactively sending out replacement cards to current account customers who had used their cards at Ticketmaster.
  • 27 April 2018
    Monzo let Ticketmaster know that there had been “a sharp decline in fraudulent transactions” since replacing the cards.
  • 1 May 2018
    The Commonwealth Bank of Australia provided Ticketmaster with data on 1,756 MasterCard users who had been victims of fraud, and who had all bought tickets on Ticketmaster's Australian website.
  • 5 May 2018
    Ticketmaster engaged four third party forensics firms to investigate the Australia Event and any data breach and subsequent fraud.
  • 10 May 2018
    Visa contacted Ticketmaster identifying several indicators of a compromise. Ticketmaster’s Incident Response Team subsequently analysed these indicators but failed to identify the malicious code.
  • 25th May 2018
    The General Data Protection Regulation came into force with strict fines for companies that fail to protect customer information.
  • 31 May 2018
    An individual using the Ticketmaster Ireland Website disclosed that their antivirus product had identified Ticketmaster's website as malicious. The Inbenta tag was highlighted as a threat.
  • 1 June 2018
    Ticketmaster internally reported that "the worst-case scenario is that they [Inbenta] are indeed hacked/infected and serving up rogue malicious content to our userbase.”
  • 6 June 2018
    Inbenta emailed Ticketmaster to indicate that the identification of Ticketmaster's website as malicious by an antivirus product was erroneous. Nevertheless, Ticketmaster instructed its Incident Response Team to expand its investigations to include all Ticketmaster domains.
  • 8 June 2018
    The Incident Response Team reported that it had scanned 117 terabytes of data to search for malware and found no indication of malware.
  • 22 June 2018
    Ticketmaster received a notification from Barclaycard regarding around 37,000 instances of known fraud. This is the date from which Ticketmaster states that it had knowledge of the breach in reports submitted to the ICO.
  • 23 June 2018
    Ticketmaster sent a formal personal data breach notification to the ICO.
  • 27 June 2018
    Ticketmaster notified customers that malware had infected one of its systems and could have skimmed their personal data, including payment details.
  • 13 November 2020
    The ICO fines Ticketmaster UK £1.25m for failing to keep its customers' personal data secure.
  • 10 February 2022
    Claimants represented by KP Law (Then Keller Lenkner UK) settled their High Court action against Ticketmaster.

Your questions answered

See our answers to the FAQs we get asked about the Ticketmaster Data Breach.

Who was behind the 2018 Ticketmaster data breach?

In 2018, cybercriminals hacked Ticketmaster’s website resulting in a significant data breach. The Ticketmaster data breach exposed customer names, addresses, email addresses, phone numbers, financial/payment details and Ticketmaster login details. In total, an estimated 40,000 people in the UK had their payment details swiped. The attack was orchestrated by a group of hackers known as Magecart 

Who was eligible to make a Ticketmaster data breach claim?

UK customers who purchased, or attempted to buy, tickets between February and June 23rd, 2018, may have been affected by this breach. Ticketmaster emailed those involved, informing them that their data was put at risk. Everyone who received this email was eligible to join our group action compensation claim.  

Was Ticketmaster fined under the GDPR?

The Ticketmaster presented a challenge to the ICO. With the General Data Protection Regulation (GDPR) coming into force in May 2018, and the breach taking place between September 2017 and 23 June 2018, the violation spanned two different data protection acts. The ICO got around this problem by issuing a penalty related only to the breach from the date the new GDPR rules came into effect. 

Recent awards, shortlistings, and listings

KP Law has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.

Previous
Next
Read more about our success and recognition
CONTACT US
  • 0151 459 5850
  • enquiries@kpl.co.uk
  • 316 - 319 Cotton Exchange Old Hall Street, Liverpool, L3 9LQ
  • 81 Chancery Lane, London, WC2A 1DD
  • Two Snowhill, Birmingham, B4 6GA
  • 3 Hardman Square, Spinningfields, Manchester, M3 3EB
USEFUL LINKS
START A CLAIM

KP Law is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.  

FOLLOW US
Facebook Linkedin

Disclaimer | Privacy Policy | Cookies |  Complaints | Equality & Diversity