skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Ovum view

Summary

A data breach at Ticketmaster was publicized this week. However, was the ticket-selling behemoth notified of a potential breach by online bank Monzo back in April? If so, and if the breach was the same one that Ticketmaster announced this week, why did it not address the situation then? The EU's General Data Protection Regulation rules demand notification within 72 hours of a breach being discovered.

Ticketmaster breach was undetected for nearly five months

On its website, Ticketmaster states that on June 23, 2018, it identified malicious software at an external supplier, and this malware was exporting UK customer data to an unknown third party. Immediately, Ticketmaster disabled all links to the external supplier.

Ticketmaster this week contacted all potentially affected customers (those who had purchased tickets between February and June 23). Article 33 of GDPR stipulates that notification of a breach must be made to the supervisory authority (likely to be the Information Commissioner's Office in this case, for a UK data breach) within 72 hours of the breach being discovered. Similarly, Article 34 notes that individuals who may be affected should also be informed without undue delay.

So far, the rules appear to have been followed – but then the boat is rocked by Monzo.

Monzo has issued a statement on its website saying that it noticed a potential issue with Ticketmaster payments on its customer cards back in April. Monzo claims to have notified Ticketmaster about the emerging fraudulent patterns, and that Ticketmaster said it would investigate. The statement from Monzo notes that Ticketmaster subsequently responded that its internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.

One can only imagine that upon receipt of any information suggesting a potential breach, an organization would investigate thoroughly and put an end to any attack it discovers. However, if the organization is unable to find evidence of a breach – but a breach really did happen – the likelihood is that its cybersecurity resilience and security incident management practices are falling short.

It will be interesting to see how this story develops, in particular the view taken by the relevant supervisory authority once it has pieced together the timescale of the breach and who knew what and when.

Will Ticketmaster become the first high-profile case for the GDPR?

Appendix

Further reading

"The importance and breadth of GDPR obligations on data breach reporting should not be underestimated," INT003-000152 (May 2018)

"Don't let incidents and breaches lie undiscovered for months," INT003-000151 (May 2018)

Author

Maxine Holt, Research Director, Infrastructure Solutions

maxine.holt@ovum.com

Recommended Articles

  • Consumer & Entertainment Services

    US pay TV: Is it facing an existential threat?

    By Adam Thomas 28 Mar 2018

    With US pay TV having endured the worst year in its history, thoughts have inevitably turned to the future. The likelihood remains that the immediate future will remain highly uncomfortable for everyone except the scaled multinational digital platforms.

  • Enterprise Decision Maker, Enterprise IT Strategy and Select...

    2017 Trends to Watch: Big Data

    By Tony Baer 21 Nov 2016

    The breakout use case for big data will be fast data. The Internet of Things (IoT) is increasing the urgency for enterprises to embrace real-time streaming analytics, as use cases from mobile devices and sensors become compelling to a wide range of industry sectors.

    Topics Big data and analytics IoT

  • Enterprise Services

    5G: Another technology in search of enterprise use cases

    By Evan Kirchheimer 26 Apr 2018

    Service provider interest in justifying 5G investment through its potential to open new revenue streams from the enterprise segment is growing ever greater.

;

Have any questions? Speak to a Specialist

Europe, Middle East & Africa team - +44 (0) 207 017 7700


Asia-Pacific team - +61 (0)3 960 16700

US team - +1 646 957 8878

Email us at ClientServices@ovum.com

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Call us at +44 788 597 5160 or email us at pr@ovum.com

Contact marketing - 
marketingdepartment@ovum.com

Already an Ovum client? Login to the Knowledge Center now