EU authorities have understandably declined to put forward a single list of mandatory data security controls that apply to all companies subject to the GDPR. As a result, each new enforcement action by EU data protection authorities provides guidance as to what the GDPR requires for “appropriate technical or organisational measures” to safeguard personal data. We summarise here the lessons companies might draw from the £1.25 million fine imposed by the UK Information Commissioner’s Office (“ICO”) against Ticketmaster for alleged data security failings that exposed customer payment card data. It has been reported that Ticketmaster will appeal its fine.

The Ticketmaster penalty completes a hat trick of high-profile penalties imposed by ICO, which also included fines against British Airways and Marriott. Companies subject to the GDPR should consider all three actions in assessing their data protection compliance. It does not seem coincidental that the ICO moved to wrap up all three cases before the completion of Brexit—making the lessons impactful across the EU, and not only in the UK.

What Happened?

The Ticketmaster penalty notice states that on 10 February 2018, an attacker injected malicious code into a customer service “chatbot” used on Ticketmaster websites, including payment processing pages.  The code then allowed the attacker to capture customers’ payment card details including names, card numbers, expiry dates and CVV numbers.  The malicious script was active between 10 February 2018, and 23 and 24 June 2018, when the chatbot was disabled.

While the initial compromise pre-dated the GDPR coming into force on 25 May 2018, the ICO issued the fine under GDPR nonetheless—targeting Ticketmaster’s conduct from 25 May 2018 onwards, during which time up to 9.4 million UK and EU-based individuals’ payment card data was potentially exposed.

Our Top Five Takeaways from the ICO’s findings

The technical and organisational measures that companies need to implement to be GDPR-compliant can vary significantly, depending on a company’s risk profile, including the nature of personal data a company handles and what they are doing with it. Still, the ICO’s penalty notice provides helpful general insights into regulatory expectations.

1. The Need for Vendor Cybersecurity Oversight: The chatbot that was compromised as part of the breach was provided by a third party, Inbenta. The ICO found that Ticketmaster had placed “undue reliance on Inbenta’s contractual security obligations and failed to take sufficient and timely steps of its own to address the security of the chatbot.”

This is another reminder that obtaining contractual cybersecurity undertakings from a vendor may, by itself, be insufficient for a company to meet regulatory data security expectations, and some additional steps may be required.

In addressing what more the company could have done to meet its GDPR data safeguarding obligations, the ICO noted that Ticketmaster allegedly had no visibility into what changes were made to the chatbot script and when those changes were made. This led the ICO to find that Ticketmaster was unable to fully understand the risks the chatbot posed to the company’s payments page.  In addition, the ICO found that, at the time of the breach in 2018, Ticketmaster had last vetted Ibenta’s cybersecurity posture in 2013, which the ICO said was insufficiently recent given the pace with which cybersecurity threats evolve.

So, when considering their third-party vendor oversight programmes, companies may want to consider whether their periodic reviews are frequent and whether their vendor agreements allow for sufficient access to information to assess relevant security risks.

2. The Need for Awareness of Emerging Attack Vectors: Ticketmaster reportedly argued that the regulator was engaging in hindsight bias and that the incident was not reasonably foreseeable. Rejecting this assertion, the ICO noted that under the GDPR, companies must have “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, informed by “the state of the art” at the time. The ICO’s penalty notice states that the “state of the art” covers both actual and constructive knowledge of attack vectors, and points to a series of publicly available reports on the risks of implementing third-party scripts on websites. The ICO concludes that these risks were well known within the cyber and payment card security industry at the relevant time.

The ICO’s findings suggest that companies should consider canvassing recent threat intelligence on an ongoing basis, to help ensure that their cybersecurity remains responsive to emerging threats.

3. The Impact of Industry Standards on GDPR Compliance: In its penalty notice, the ICO pointed to what it viewed as a series of failures by Ticketmaster to meet the Payment Card Industry Data Security Standard (“PCI-DSS”), which applies to companies that process payment card data.

The ICO suggested that PCI-DSS compliance does not equate to GDPR compliance, but nonetheless found PCI-DSS compliance was relevant when assessing the adequacy of Ticketmaster’s safeguards. The penalty notice also reveals that one of the major points of contention between Ticketmaster and the ICO was whether PCI-DSS applied to the chatbot, given that the bot did not touch card data, but was merely present on pages where customers entered it. The ICO’s position appears to be that the chatbot was subject to PCI-DSS compliance requirements because it “might have impacted the card data environment” and therefore fell within the scope of the requirements.

Companies subject to PCI-DSS may therefore want to review which elements of their IT ecosystem are, and are not, subject to these requirements given the fact that, whether or not they directly handle payment card data, may not always be determinative from the regulators’ (or the payment cards companies’) standpoint.

The penalty notice also references the ICO’s consideration of Inbenta’s ISO 27001 certification, upon which Ticketmaster relied. The ICO states that it “place[d] little weight on the mere provision of such certifications by Inbenta as a mechanism of securing the chat bot in the circumstances,” stressing that “ISO 27001 is an information security management standard, which does not apply directly to software development.” This suggests that companies should be wary of over-relying on third-party certification standards like ISO 27001, when assessing a vendor’s cybersecurity risk.

4. The Need to Perform Risk Assessments and Document Key Decisions: The ICO’s findings also reinforce the need for well-documented data security risk assessments. The ICO asserted that Ticketmaster was unable to show threat analysis documentation or that it took into consideration the risk of implementing third-party scripts into a webpage that processed personal data before the breach. In particular, the ICO noted that Ticketmaster had not performed an adequate risk assessment before or after implementing the chatbot.

Similarly, when addressing certain security measures that the ICO considered would have been appropriate to protect against the attack, the regulator noted that Ticketmaster represented to the ICO that “sub-resource integrity” controls were not a workable solution to the attack vector. But the ICO found that the company was “unable to demonstrate any formal decision making” surrounding its decision not to implement that control. Accordingly, when deploying new technologies and deciding what safeguards are, or are not, workable in practice, companies should consider documenting key decisions in case they are later called into question.

5. The Need to Evaluate Alerts of Potential Breaches Promptly: In reaching its decision, the ICO also highlighted what it appears to have considered deficiencies in Ticketmaster’s response to alerts of potential breaches.

Most notably, the ICO states that it took Ticketmaster nine weeks from first being alerted to a potential breach to run checks on its payments page and monitor traffic. The penalty notice recalls numerous external reports of potential issues to Ticketmaster as early as 12 April 2018, when Monzo, a UK-based challenger bank, communicated concerns to Ticketmaster.

A few weeks later, in early May 2018, a security researcher contacted the company via Twitter to inform it that he believed a malicious code had been injected into the chatbot script. The series of events, through which Ticketmaster arguably became aware of the breach, highlight the importance of responding quickly when third parties notify a company of concerns, and ensuring the appropriate escalation of alerts.

The ICO also commented on the scope of the instructions to Ticketmaster’s external incident response team, comprised of outside security vendors. In particular, the ICO criticised the company’s alleged instruction to review only the Microsoft Windows systems, rather than the entire payment environment, notwithstanding that there were indications that a payment card data breach was in progress.

While some might question the broader significance of the ICO’s penalty notice given the UK’s exit from the EU, it is worth noting that it was issued in the ICO’s capacity as lead supervisory authority under the GDPR. This means that the ICO’s findings will have been shared with other relevant EU data protection authorities and therefore may still be instructive for companies dealing with other EU regulators.

 

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise trainee associates Jesse Hope and Charles Thompson for their contribution to this article.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Robert Maddox is an associate based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Christopher Garrett is an English-qualified international counsel in the Corporate Department and a member of the Data Strategy & Security practice, practising employment law and data protection. He has significant experience advising employers on all aspects of employment law and advising companies on compliance with UK and EU data protection law. Mr. Garrett has substantial experience in advising on the employment aspects of mergers & acquisitions transactions, including transfers of employees or other issues arising under TUPE/the Acquired Rights Directive. Mr. Garrett has a wide range of experience advising on other matters such as boardroom disputes, senior executive contracts and terminations, disciplinary and grievance matters, a variety of employment tribunal claims (including high-value discrimination claims), advising employers faced with industrial action, consultation on changes to occupational pension schemes and policy and handbook reviews. Mr. Garrett also has a particular focus on handling privacy and data protection issues relating to employees, as well as online privacy, marketing and safety practices, regular advice to clients on privacy policies, online marketing practices and related matters.