The ICO’s monetary penalty notice issued to Ticketmaster

The ICO’s monetary penalty notice issued to Ticketmaster makes interesting if not worrying reading. LOTS of buck passing preceded and arguably slowed identification of the compromise. Indeed, a customer notified Ticketmaster via Twitter about the vulnerability 6 or 7 weeks before Ticketmaster and their incident response team identified it.

It seems fairly obvious to the Outsourced DPO who is not a particularly technical person, that putting a chat bot on a payments page was a risky idea.  Putting anything superfluous to the function of processing payment information is a bad idea and the PCI DSS prohibition of using end user messaging technologies like chat bots and email for transmitting payment card information should have been a clear warning.  However, someone at Ticketmaster must have successfully argued that the chat bot was essential for the “customer journey” because there it was.

The MPN points out several failures of Ticketmaster to meet the payment card industry data security standard (PCI DSS).  This is interesting as the Marriott MPN also cited the PCI DSS.  Ticketmaster argued that the chat bot was not designed to process card holder data.  But being an entity connected to the card holder data environment it was always within or potentially within the scope of their card holder data environment (CDE).  As the merchant (i.e. Ticketmaster) is responsible for identifying the scope of their CDE, perhaps the exclusion of the chat bot was never challenged.

The great thing about the ICO publishing comprehensive MPNs is that they are or should be a great source of learning for others.  DPOs and privacy managers up and down the country will now be seeking to carry out vulnerability testing on their payment pages and undertake DPIAs on their use and deployment of chat bots and other third-party applications on their web sites.  The principle failures cited in the MPN are: 1) failure to process personal data in a matter that ensures appropriate security … using appropriate technical and organisational measures (Article 5(1)(f)).  The MPN says that while some measures were in place they were insufficient in the circumstances; 2) failure to ensure ongoing integrity of processing systems (Article 32(1)b)).  Ticketmaster allowed unauthorised changes to its website payment pages; and 3) failure to regularly testing, assessing and evaluating the effectiveness of technical and organisational controls (Article 32(1)(d)).  Had the chat bot been considered within the scope of the CDE, it would have been subject to regular testing; 4) failure to implement state of the art measures appropriate to the risk (Article 32).  The MPN expresses the opinion that Ticketmaster should have been aware of attack vectors (methods of attack) and that “state of the art” includes having up-to-date knowledge and implementing third-party JavaScripts into a website or chat bot has, for some time, been a known security risk.

Some interesting take-aways from the Ticketmaster MPN are:

  • Commercial and marketing representations about the customer experience need tempering and risk assessing;
  • Just as we are to minimise data collection, we should keep application functionality to an absolute minimum  Don’t deploy or switch off un-necessary functions;
  • Challenge the scoping of your PCI DSS card holder environment – don’t assume it was correctly scoped last year and remains “as is”;
  • Regularly test your customer journeys on your websites and document the findings;
  • Up-to-date knowledge regarding the technologies you chose to implement and use is considered a pre-requisite.  If you don’t understand the latest or state of the art thinking about those technologies – don’t deploy them until you do.