A data breach at Ticketmaster was publicized this week. However, was the ticket-selling behemoth notified of a potential breach by online bank Monzo back in April? If so, and if the breach was the same one that Ticketmaster announced this week, why did it not address the situation then? The EU's General Data Protection Regulation rules demand notification within 72 hours of a breach being discovered.
Ticketmaster breach was undetected for nearly five months
On its website, Ticketmaster states that on June 23, 2018, it identified malicious software at an external supplier, and this malware was exporting UK customer data to an unknown third party. Immediately, Ticketmaster disabled all links to the external supplier.
Ticketmaster this week contacted all potentially affected customers (those who had purchased tickets between February and June 23). Article 33 of GDPR stipulates that notification of a breach must be made to the supervisory authority (likely to be the Information Commissioner's Office in this case, for a UK data breach) within 72 hours of the breach being discovered. Similarly, Article 34 notes that individuals who may be affected should also be informed without undue delay.
So far, the rules appear to have been followed – but then the boat is rocked by Monzo.
Monzo has issued a statement on its website saying that it noticed a potential issue with Ticketmaster payments on its customer cards back in April. Monzo claims to have notified Ticketmaster about the emerging fraudulent patterns, and that Ticketmaster said it would investigate. The statement from Monzo notes that Ticketmaster subsequently responded that its internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.
One can only imagine that upon receipt of any information suggesting a potential breach, an organization would investigate thoroughly and put an end to any attack it discovers. However, if the organization is unable to find evidence of a breach – but a breach really did happen – the likelihood is that its cybersecurity resilience and security incident management practices are falling short.
It will be interesting to see how this story develops, in particular the view taken by the relevant supervisory authority once it has pieced together the timescale of the breach and who knew what and when.
Will Ticketmaster become the first high-profile case for the GDPR?
"The importance and breadth of GDPR obligations on data breach reporting should not be underestimated," INT003-000152 (May 2018)
"Don't let incidents and breaches lie undiscovered for months," INT003-000151 (May 2018)
Maxine Holt, Research Director, Infrastructure Solutions