The ICO’s monetary penalty notice issued to Ticketmaster

By Myles Dacres

The ICO’s monetary penalty notice issued to Ticketmaster makes interesting if not worrying reading.  LOTS of buck passing preceded and arguably slowed identification of the compromise.  Indeed, a customer notified Ticketmaster via Twitter about the vulnerability 6 or 7 weeks before Ticketmaster and their incident response team identified it.

It seems fairly obvious to the Outsourced DPO who is not a particularly technical person, that putting a chat bot on a payments page was a risky idea.  Putting anything superfluous to the function of processing payment information is a bad idea and the PCI DSS prohibition of using end user messaging technologies like chat bots and email for transmitting payment card information should have been a clear warning.  However, someone at Ticketmaster must have successfully argued that the chat bot was essential for the “customer journey” because there it was.

The MPN points out several failures of Ticketmaster to meet the payment card industry data security standard (PCI DSS).  This is interesting as the Marriott MPN also cited the PCI DSS.  Ticketmaster argued that the chat bot was not designed to process card holder data.  But being an entity connected to the card holder data environment it was always within or potentially within the scope of their card holder data environment (CDE).  As the merchant (i.e. Ticketmaster) is responsible for identifying the scope of their CDE, perhaps the exclusion of the chat bot was never challenged.

The great thing about the ICO publishing comprehensive MPNs is that they are or should be a great source of learning for others.  DPOs and privacy managers up and down the country will now be seeking to carry out vulnerability testing on their payment pages and undertake DPIAs on their use and deployment of chat bots and other third-party applications on their web sites.  The principle failures cited in the MPN are: 1) failure to process personal data in a matter that ensures appropriate security … using appropriate technical and organisational measures (Article 5(1)(f)).  The MPN says that while some measures were in place they were insufficient in the circumstances; 2) failure to ensure ongoing integrity of processing systems (Article 32(1)b)).  Ticketmaster allowed unauthorised changes to its website payment pages; and 3) failure to regularly testing, assessing and evaluating the effectiveness of technical and organisational controls (Article 32(1)(d)).  Had the chat bot been considered within the scope of the CDE, it would have been subject to regular testing; 4) failure to implement state of the art measures appropriate to the risk (Article 32).  The MPN expresses the opinion that Ticketmaster should have been aware of attack vectors (methods of attack) and that “state of the art” includes having up-to-date knowledge and implementing third-party JavaScripts into a website or chat bot has, for some time, been a known security risk.

Some interesting take-aways from the Ticketmaster MPN are:

  • Commercial and marketing representations about the customer experience need tempering and risk assessing;
  • Just as we are to minimise data collection, we should keep application functionality to an absolute minimum  Don’t deploy or switch off un-necessary functions;
  • Challenge the scoping of your PCI DSS card holder environment – don’t assume it was correctly scoped last year and remains “as is”;
  • Regularly test your customer journeys on your websites and document the findings;
  • Up-to-date knowledge regarding the technologies you chose to implement and use is considered a pre-requisite.  If you don’t understand the latest or state of the art thinking about those technologies – don’t deploy them until you do.

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021