Ticketmaster (TM), which admits that its systems had been hacked, could face a fine of more than £17.6 million, or four per cent of turnover, under the European Union’s new General Data Protection Regulations (GDPR), which came in to affect on 25 May.
The Live Nation Entertainment-owned company says the breach is a result of “malicious software” on third-party customer support partner Inbenta Technologies, a California-based “chatbot” provider, which may have compromised the data of around five per cent of its global customers, some 11.5 million people.
Information which may have been compromised includes customers’ names, addresses, email, telephone numbers, payment details and TM login details.
The data breach has not only affected TM’s primary platform, but also its Ticketweb division and customers using its resale site GetMeIn, as Inbenta’s product was running across all three.
The company, which says it identified the problem on 23 June, has called in forensic and security experts to identify how the data had been accessed and was working with the Information Commissioner’s Office (ICO), as well as credit card companies, banks and relevant authorities.
However, digital bank Monzo says it warned TM of its concern about a series of dubious transactions on 12 April and was told the ticketing giant would investigate internally. The bank replaced the cards of 50 customers who had reported fraudulent transactions on 6 April. It then carried out an investigation that found 70 per cent of affected customers had used their cards with TM in the past five months.
UK-based TM customers who purchased, or attempted to purchase, tickets between 23 February and 23 June may be affected as well as international customers who purchased or attempted to purchase tickets between September last year and 23 June.
TM has contacted all potentially affected customers, advising them to reset their passwords and offering them a free 12-month identity monitoring service. Customers in North America are not affected.
In a statement, the company says, “As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites.”
A few weeks ago, US company Ticketfly was hacked, with around 27 million customers’ data potentially compromised, including names, addresses, email and phone numbers (see Audience issue 221).
The San Francisco-based company was taken offline after what it described as a “cyber incident” on 31 May.
It took until 6 June for the website to be fully functioning again, forcing some of the company’s promoter and venue clients to cancel or rearrange a number of shows.