In 2022, Ticketmaster settled a data breach group action claim following successful mediation and negotiation. Keller Postman UK was the only law firm to actively litigate this case in the UK and we represented over 1,000 customers in this action. Ticketmaster denied liability for the claims and the settlement was made on a no admission basis.
While we are prohibited from discussing the terms of the settlement, this page explains how the data breach happened, the facts of the case, and the consequences for the affected customers.
The Ticketmaster data breach happened in 2018 because of a cyberattack perpetrated on software supplied to Ticketmaster by a third party and operated on that third party’s systems and servers. The chatbot, built by Inbenta Technologies, was installed on Ticketmaster’s online payments page.
By injecting malicious code into the chatbot, cyberhackers were able to skim and steal customer payment information as they made purchases on the Ticketmaster website. The malicious program was subsequently removed, but not before hackers accessed personal and financial details of up to 40,000 Ticketmaster customers in the UK.
In 2020, the Information Commissioner’s Office (ICO), which is the UK’s data protection regulator, issued a £1.25 million fine against Ticketmaster. According to the ICO “Ticketmaster failed to process personal data in a manner that ensured appropriate security of the personal data”.
The ICO’s investigation also found that:
Although the breach began in February 2018, the ICO’s penalty only relates to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.
Because of the Ticketmaster data breach, many customers were forced to change their bank accounts or credit cards. Some Ticketmaster customers reported fraudulent activity on their credit/bank cards. Most of the clients we represented in this case suffered multiple fraudulent transactions or experienced distress and/or psychological trauma because of the hack.
While the Information Commissioner’s Office (ICO) fined Ticketmaster for the breach, this payment was not used to compensate victims. Any money received by the ICO in data breach cases goes to the Treasury. So, the only way Ticketmaster customers could get compensation for the data breach was to take legal action.
See our answers to the FAQs we get asked about the Ticketmaster Data Breach.
In 2018, cybercriminals hacked Ticketmaster’s website resulting in a significant data breach. The Ticketmaster data breach exposed customer names, addresses, email addresses, phone numbers, financial/payment details and Ticketmaster login details. In total, an estimated 40,000 people in the UK had their payment details swiped. The attack was orchestrated by a group of hackers known as Magecart.
UK customers who purchased, or attempted to buy, tickets between February and June 23rd, 2018, may have been affected by this breach. Ticketmaster emailed those involved, informing them that their data was put at risk. Everyone who received this email was eligible to join our group action compensation claim.
The Ticketmaster presented a challenge to the ICO. With the General Data Protection Regulation (GDPR) coming into force in May 2018, and the breach taking place between September 2017 and 23 June 2018, the violation spanned two different data protection acts. The ICO got around this problem by issuing a penalty related only to the breach from the date the new GDPR rules came into effect.