Security News > 2020 > November > Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal
Key to the criminals' success was Ticketmaster's decision to deploy a Javascript-powered chatbot on its website payment pages, giving criminals an easy way in by compromising the third party's JS - something the ICO held against Ticketmaster in its decision to award the fine.
Ticketmaster 'fessed up to world+dog in June that year, and the final damage has now been revealed by the Information Commissioner's Office: 9.4m people's data was "Potentially affected" of which 1.5m were in the UK; 66,000 credit cards were compromised and had to be replaced; and Ticketmaster itself doesn't know how many people were affected between 25 May and 23 June 2018.
Ticketmaster remains in denial about its culpability for the breach, telling The Register in a statement: "Ticketmaster takes fans' data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal today's announcement."
"It took Ticketmaster approximately nine weeks from the date of Monzo's notification of possible fraud involving the Ticketmaster website for Ticketmaster to run a payment through its payment page and monitor the network traffic thereon," said an incredulous ICO, which noted that it took a random Twitter user explaining why JS on a payments page is a bad thing for the business to wake up and do something about it.
"Ticketmaster did not adequately test, assess or evaluate whether the security measures operating between the chat bot and its own payment page were adequate to address the known risks of third party scripts," said the ICO. By its own admission, Ticketmaster wasn't even monitoring how often Inbenta updated its Javascript - in breach of all rules and guidance on JS and payments pages.