The UK data protection regulator, the Information Commissioner’s office, has issued three significant monetary penalties over recent months focusing on cyber security issues. The most recent enforcement was a monetary penalty of £1.25 million on Ticketmaster in connection with an incident which occurred during February 2018 and June 2018 (although the enforcement only relates to the period after 25 May 2018 when the GDPR came into force). In the ICO’s view there was a failure to process personal data in a manner that ensured appropriate security, as required under Articles 5(1)(f) and Articles 32 of the GDPR.
The incident involved malicious code that was inserted into a chat bot provided by a third party and used on the payment page of Ticketmaster’s website. The personal data involved name, address, email address, full credit / debit card number, CVV and usernames and passwords. 9.4 million data subjects were notified of the incident, 1.5 million of which were in the United Kingdom. Credit / debit card numbers and CVVs were only accessed for a small sub-set of the total number of affected data subjects.
Key takeaways
This enforcement action demonstrates the ICO’s continued focus on enforcement in relation to significant data security incidents. The incident that gave rise to this monetary penalty is an example of a data breach involving a supply chain attack. The penalty notice is also a further example of a trend which has emerged in recent ICO penalties of quoting very extensively from third party guidance in support of the ‘state of the art’.
This penalty notice highlights the ICO’s expectations in relation to controllers assessing the appropriate security measures to protect personal data. In particular, the ICO focuses on failure to address known security vulnerabilities or issues, or to comply with third party security guidance. The ICO expects controllers to proactively stay up to date with the potential security vulnerabilities or issues with the systems or tools they are using, and to take steps to address any such issues.
The factual background
Ticketmaster contracted with a third party (Inbenta) to provide a chat bot which was incorporated into Ticketmaster’s website. The chat bot was designed to interpret questions from users and automatically identify relevant help articles or information. This involved computer code that analysed questions. The JavaScript for the chat bot was hosted on Inbenta’s server. Ticketmaster included the chat bot on various pages of its website, including deciding to include it on the website’s payment page.
In February 2018, there was a potential compromise in the code of the chat bot. In April 2018 Ticketmaster was informed by several banks of reported fraudulent transactions. In May 2018 it was contacted by card issuers about several indicators of compromise, and also highlighting that fraud could be caused by malicious third party content. Then, in June 2018 Ticketmaster was informed by Barclaycard of approximately 37,000 instances of known fraud where Ticketmaster’s common point of purchase was involved. Ticketmaster reported this to the ICO the next day, and later informed 9.4 million customers that it had suffered a data incident.
As the chat bot was present on the payment page, the malicious code was able to unlawfully process personal data of customers. An attacker directed its attack at the Inbenta servers and inserted malicious code into the JavaScript for the chat bot. The malicious code was used to “scrape” personal data provided by the user on the page. Since the chat bot was included on the payment page, the personal data that was scraped using the malicious code included financial data and names, payment card numbers, expiry dates and CVV numbers.
The ICO’s assessment of the breach
The ICO considered that there had been a number of failures on Ticketmaster’s part, which led it to conclude that Ticketmaster had breached Articles 5(1)(f) and 32 of GDPR. We comment on some of those failures below. Interestingly, the ICO was not prepared to engage with Ticketmaster’s submissions that Inbenta was at fault for the incident – effectively arguing that if Inbenta hadn’t allowed malicious code to be inserted into the chat bot code, the breach wouldn’t have happened. The ICO took the approach that Ticketmaster did not have adequate technical and organisational measures in place in any event, either in relation to its own systems or the checks and controls it imposed on third parties.
In the ICO’s view, implementing third party JavaScripts into a website or chat bot has been a known security risk for some time. This risk to personal data in the ICO’s view is increased when implemented onto web pages that process personal data such as payment pages. The ICO cited guidance and commentary from numerous sources that identified this risk, several of which identified that a benign script could be changed by an attacker to “scrape” personal data, and the controller or processor would likely not be aware or have visibility of this. In the ICO’s view this attack vector was not novel, and Ticketmaster ought reasonably to have been aware of the risk of implementing third party JavaScripts into a web site that processes personal data such as payment card data.
Compliance with Payment Card Industry Data Security Standard (“PCI DSS”) is not necessarily equivalent to compliance with the GDPR’s security principle. However, since Ticketmaster processed card data and suffered a personal data breach, the ICO considered the extent to which Ticketmaster might have put in place measures required by PCI-DSS in the context of the chat bot on its payment page.
Importantly, although Ticketmaster had a contract in place with the third party provider which included a commitment that the chat bot would remain free from malware, this did not prevent a monetary penalty being imposed upon Ticketmaster as a controller of the personal data. It was not adequate to just have a contractual obligation on the third party; neither was it sufficient to rely on Inbenta’s ISO27001 certification (which the ICO noted is an information security certification, and was not directly relevant). The ICO therefore found that Ticketmaster had failed to put in place appropriate measures to negate the risk from third party scripts which could infect the chat bot on the payment page of Ticketmaster’s website.
The ICO found that Ticketmaster had failed to comply with:
- Article 32(1)(b) of the GDPR, in that it failed to ensure that only authorised changes were made to Ticketmaster’s website that processed personal data, including the payment page;
- Article 32(1)(d) of the GDPR which required Ticketmaster to have a process for regular testing, assessment and evaluation of technical and organisational controls and security of processing;
- Article 5(1)(f) of the GDPR because it had not put in place appropriate measures to negate the risk from danger of third party scripts infecting the chat bot on its payment page.
In the ICO’s view if passive monitoring of the payment page had been undertaken in the first instance, there would have been an increased likelihood that the mechanism of the personal data breach would have been identified earlier. In addition, following industry guidance in relation to scripts would have mitigated the risk in this context. The ICO also took the view that the decision to install the chat bot on the payment page was a failure which gave rise to a risk of a personal data breach.
In relation to data breach reporting obligations under Article 33 of the GDPR, in the Notice of Intent the ICO took the view Ticketmaster failed to notify the ICO without undue delay and in any event within 72 hours of becoming aware of the breach. However, in the final Monetary Penalty Notice the ICO does not rely on any breach of Article 33 of the GDPR for the purposes of the fine (and the ICO has still therefore not included a breach of Article 33 obligations as a separate breach in any of its penalty notices).
Calculation of the penalty
In the ICO’s view, the personal data breach was not intentional or deliberate. However, the ICO concluded Ticketmaster as controller should not have presumed, without adequate oversight or technical measures, that Inbenta could provide an appropriate level of security in respect of the processing of payment cards. In particular, in the ICO’s view Ticketmaster’s breach of the PCI-DSS standard was negligent. However, the ICO noted Ticketmaster fully co-cooperated with the ICO during the investigation and there were no aggravating factors.
In the ICO’s Notice of Intent to impose a monetary penalty, its initial proposed penalty was £1,500,000. In the final Monetary Penalty Notice the ICO considered mitigating factors such as:
- forcing password resets across all domains;
- once the chat bot was removed the personal data breach ended;
- Ticketmaster created a website where customers and media could receive information about the personal data breach; and
- Ticketmaster incurred considerable costs in relation to the incident, including the cost of twelve months of credit monitoring offered to all affected customers and legal costs.
In particular, in light of the exceptional circumstances as a consequence of COVID-19, the ICO reduced the penalty from £1,500,000 to £1,250,000.
