Ticketmaster ‘failed to act’ on breach fears
TICKETMASTER has been accused of a “frustrating” failure to act on a data breach, despite being warned about it several months ago.
The ticket selling website admitted on Wednesday that information about its customers had been stolen in a cyber attack on one of its suppliers.
But British challenger bank Monzo said it had informed Ticketmaster of a series of suspicious transactions in April. The UK’s data watchdog, the Information Commissioner’s Office, said it was investigating the breach and that it could potentially fall under new data protection laws that allow for multimillion-pound fines.
Monzo chief executive Tom Blomfield said that his company informed the website of a potential breach in early April after noticing that many customers who had used Ticketmaster had fraudulent purchases using their cards.
Mr Blomfield said that Monzo started noticing a rise in fraudulent transactions on April 6. Around 70pc of those transactions came from people who had shopped at Ticketmaster.
Ticketmaster’s security team visited Monzo’s London office on April 12 but concluded that there was no breach, Mr Blomfield said.
Monzo decided to take the “quite extreme step” of replacing around 6,000 cards of people who had shopped at Ticketmaster. The cost of replacing those cards to Monzo is between £20,000 and £30,000. Ticketmaster only disclosed that it had suffered a data breach on Wednesday, over two months after Monzo said it informed the company of a potential breach.
Ticketmaster said that it had found “malicious software” on the website of one of its suppliers on June 23. It said that less than 5pc of its customers had been affected by the breach.
The BBC reported that up to 40,000 UK Ticketmaster accounts may have been affected. However, Mr Blomfield’s comments raise questions about the speed of Ticketmaster’s response to suggestions that its customers’ data had been stolen.
Tony Pepper, chief executive of data security company Egress, said that “there are going to be a few eyebrows raised” following Monzo’s comments about Ticketmaster’s delay in reporting the breach.
The new General Data Protection Regulation means companies must disclose data breaches to regulators within 72 hours of learning of the issue.
The Information Commissioner’s Office said it was looking into the timing of the breach. A spokesman said that “organisations have a legal duty to ensure that people’s personal information is held securely; we have been made aware of an issue concerning Ticketmaster and will be making enquiries”.
Tom Blomfield, chief executive of Monzo, said his bank had raised concerns about a possible Ticketmaster breach