Ticketmaster’s data breach first test for GDPR regulations
A malware attack on a third-party partner of ticket-selling platform Ticketmaster lead to hackers stealing the names, log-in details, card details, and addresses of Ticketmaster account holders.
Ticketmaster customers who used the service between September 2017 and June 2018 are at risk of being affected by the breach, which breaches both the Data Protection Act 1998 and the UK’s implementation of GDPR.
The implication for businesses in this case is the different levels of fine that can be imposed upon businesses. Under the 1998 act, UK regulators can fine businesses a maximum of £500,000. However, under the 2018 GDPR regulation, the fines can go as high as £17 million or 4% of annual turnover, whichever is higher.
The ICO is likely to take the unusual step of prosecuting Ticketmaster under both regulations. Breaches including unauthorised access, failure to put in place appropriate data protections, and not adapting to GDPR policies. The breaches fall either side of 15 May 2018 – when GDPR became law – and thus would be subject to investigation under both regulations.
According to Ticketmaster, they discovered the breach on 23 June, but did not inform customers until 27 June. This potentially reveals a further breach of the regulation which legislates that a company must inform customers of a personal data breach without undue delay and inform the ICO within 72 hours. This breach in itself could cost the company a further 2% of annual revenue.
Mason Infotech delivers expert internet security solutions. To find out more about how we can protect your business data, get in touch on 0115 940 8040, or click here