Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal The Information Commissioner’s Office has fined Ticketmaster £1.25m after the site’s operators failed to spot a Magecart card skimmer infection until after 9 million customers’ details had been slurped by criminals. The breach began in February 2018 and was not detected until April, when banks realised their customers’ cards …
Data protection doesn't care who's at fault. If you accepted and stored the data in a bad way, it's your fault.
You could have been handing that data entirely to the third party on a secure page, and it's still YOUR fault if it gets out, if the customer was giving their data to you.
There is no "we were just contracting that out" get-out clause in DPA or GDPR. Likely you're both fined, but at minimum the original "collectors" of the data can't escape liability. And if people were putting their data on Ticketmaster's site and one of Ticketmaster's contractors leaked it - tough luck, Ticketmaster are liable first and foremost.
This is one of the (many) things I have to regularly explain about data protection to people. It doesn't matter what promises you get from the other companies you give personal data... if that data was given to you, it's your responsibility if they mess up, just the same as if you'd messed up yourself.
Every six months or so a card gets replaced by an issuer. Sometimes it's a text message asking if we ordered $531 of Nike shoes, other times it's just they've got to replace the card for 'reasons'. How long until we've got to have *3* different cards, to protect against A then B going out of service simultaneously?
Back when I used to travel to the US frequently, about 1 trip in 3 would result in me needing a new credit card after fraud attempts. I now endeavour to use disposable credit card numbers for most transactions. As well as protecting me, I realise they will make fraud detection much easier as ANY second usage is a red flag.
The response of Tickmaster to Monzo is just typical of any online businesses nowadays , they simply either make it impossible to contact them or ignore anything that is passed to them.
It appears to be totally acceptable now to hide behind a wall of obscurity:
Online - use are chat service that is in fact a sodding bot.
Submit a ticket - goes into the same automated bucket.
Phone - a voice activated automated alien that does not get you anywhere other than high stress levels.
In the unlikely event that the phone option does put you through to some sort of interactive lifeform they appear to have no more information than you. If you are doubly lucky, said lifeform even speaks an intelligible language.
1. Engineer/Support person gets this security ticket
2. Explains to manager
3. Manager asks what it will do to the schedule
4. Manager says we are not going to do anything.
Just recently had a program manager nitwit for their e-commerce website (yup the money earning part of their business) tell me that they are going to fix 9 critical vulnerabilities, including several RCE issues, AFTER the buying season was over.
I finally escalated all the way to the top and they explained to the PM that their might not be a business left if the issues were not fixed by just updating 1 package from the current version to the next minor version which was a security fix.
Sometimes a sledge hammer works. This is a rare success.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
