Illustration for article titled Ticketmaster Fined More Than $1.6 Million Following 2018 Data Breach

Graphic: Ticketmaster

Ticketmaster’s UK wing has been fined £1.25 million pounds (roughly $1.6 millions) following an investigation into the company’s lackluster response to a massive 2018 data breach affecting more than nine million customers.

That’s according to a notice from the UK’s Information Commissioner’s Office (ICO) earlier today. The data watchdog stated that Ticketmaster’s failure to “put appropriate security measures in place” at the time compromised the full credit card details of a whopping 9.4 million European customers—including 1.5 million in the UK proper. Per the ICO, 60,000 cards were subject to known fraud. At least 6,000 cards were replaced by one local bank following some “suspected” fraudulent payments.

All things considered, Ticketmaster got off relatively easy considering both how much money the company had raked in since the initial breach, and how badly it seems the company handled the news at the time. Reading through the official penalty notice that the ICO issued, Ticketmaster started receiving notices of potentially fraudulent transactions in April of 2018, but waited for nine weeks before actually investigating what the root cause might be. Then, in early June of that year, the company’s internal response team reported that after scanning 117 terabytes of data from the Ticketmaster systems, it couldn’t find any sign of malware—despite multiple customers’ antivirus software flagging some of the company’s European-facing sites.

By the time the company got its act together by the end of June 2018, the untold number of rightfully worried customers that had already been reaching out, in some cases for months on end were joined in voicing their concerns to Ticketmaster by card companies themselves, like Visa, American Express and Mastercard.

Eventually, the breach was traced back to a vulnerability in a third-party chatbot installed onto Ticketmaster’s online payments page. According to the ICO, the bot—which was built by the California-based developer Inbenta Technologies—was built to interpret user’s questions and help guide them through the site. At the time, Ticketmaster said that this bot was a“critical part of the customer’s journey.”

A bad actor attacked Inbenta’s servers, and was able to plug malicious code into this bot, according to the notice. This code was built to scrape any data that Ticketmaster’s customers would put it anywhere on the page. And because the bot was apparently active on Ticketmaster’s payment pages, the data that was scraped included all of the credit card details that these customers used in their ticket purchases.

In a statement to the BBC about the incident, Ticketmaster simply noted that the company “takes fans’ data privacy and trust very seriously,” and plans to appeal against the fine, noting that “since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.”