EU authorities have understandably declined to put forward a single list of mandatory data security controls that apply to all companies subject to the GDPR. As a result, each new enforcement action by EU data protection authorities provides guidance as to what the GDPR requires for “appropriate technical or organisational measures” to safeguard personal data. We summarise here the lessons companies might draw from the £1.25 million fine imposed by the UK Information Commissioner’s Office (“ICO”) against Ticketmaster for alleged data security failings that exposed customer payment card data. It has been reported that Ticketmaster will appeal its fine.
The Ticketmaster penalty completes a hat trick of high-profile penalties imposed by ICO, which also included fines against British Airways and Marriott. Companies subject to the GDPR should consider all three actions in assessing their data protection compliance. It does not seem coincidental that the ICO moved to wrap up all three cases before the completion of Brexit—making the lessons impactful across the EU, and not only in the UK.
The Ticketmaster penalty notice states that on 10 February 2018, an attacker injected malicious code into a customer service “chatbot” used on Ticketmaster websites, including payment processing pages. The code then allowed the attacker to capture customers’ payment card details including names, card numbers, expiry dates and CVV numbers. The malicious script was active between 10 February 2018, and 23 and 24 June 2018, when the chatbot was disabled.
While the initial compromise pre-dated the GDPR coming into force on 25 May 2018, the ICO issued the fine under GDPR nonetheless—targeting Ticketmaster’s conduct from 25 May 2018 onwards, during which time up to 9.4 million UK and EU-based individuals’ payment card data was potentially exposed.
Our Top Five Takeaways from the ICO’s findings
The technical and organisational measures that companies need to implement to be GDPR-compliant can vary significantly, depending on a company’s risk profile, including the nature of personal data a company handles and what they are doing with it. Still, the ICO’s penalty notice provides helpful general insights into regulatory expectations.
1. The Need for Vendor Cybersecurity Oversight: The chatbot that was compromised as part of the breach was provided by a third party, Inbenta. The ICO found that Ticketmaster had placed “undue reliance on Inbenta’s contractual security obligations and failed to take sufficient and timely steps of its own to address the security of the chatbot.”
This is another reminder that obtaining contractual cybersecurity undertakings from a vendor may, by itself, be insufficient for a company to meet regulatory data security expectations, and some additional steps may be required.
In addressing what more the company could have done to meet its GDPR data safeguarding obligations, the ICO noted that Ticketmaster allegedly had no visibility into what changes were made to the chatbot script and when those changes were made. This led the ICO to find that Ticketmaster was unable to fully understand the risks the chatbot posed to the company’s payments page. In addition, the ICO found that, at the time of the breach in 2018, Ticketmaster had last vetted Ibenta’s cybersecurity posture in 2013, which the ICO said was insufficiently recent given the pace with which cybersecurity threats evolve.
So, when considering their third-party vendor oversight programmes, companies may want to consider whether their periodic reviews are frequent and whether their vendor agreements allow for sufficient access to information to assess relevant security risks.
2. The Need for Awareness of Emerging Attack Vectors: Ticketmaster reportedly argued that the regulator was engaging in hindsight bias and that the incident was not reasonably foreseeable. Rejecting this assertion, the ICO noted that under the GDPR, companies must have “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, informed by “the state of the art” at the time. The ICO’s penalty notice states that the “state of the art” covers both actual and constructive knowledge of attack vectors, and points to a series of publicly available reports on the risks of implementing third-party scripts on websites. The ICO concludes that these risks were well known within the cyber and payment card security industry at the relevant time.
The ICO’s findings suggest that companies should consider canvassing recent threat intelligence on an ongoing basis, to help ensure that their cybersecurity remains responsive to emerging threats.
3. The Impact of Industry Standards on GDPR Compliance: In its penalty notice, the ICO pointed to what it viewed as a series of failures by Ticketmaster to meet the Payment Card Industry Data Security Standard (“PCI-DSS”), which applies to companies that process payment card data.
The ICO suggested that PCI-DSS compliance does not equate to GDPR compliance, but nonetheless found PCI-DSS compliance was relevant when assessing the adequacy of Ticketmaster’s safeguards. The penalty notice also reveals that one of the major points of contention between Ticketmaster and the ICO was whether PCI-DSS applied to the chatbot, given that the bot did not touch card data, but was merely present on pages where customers entered it. The ICO’s position appears to be that the chatbot was subject to PCI-DSS compliance requirements because it “might have impacted the card data environment” and therefore fell within the scope of the requirements.
Companies subject to PCI-DSS may therefore want to review which elements of their IT ecosystem are, and are not, subject to these requirements given the fact that, whether or not they directly handle payment card data, may not always be determinative from the regulators’ (or the payment cards companies’) standpoint.
The penalty notice also references the ICO’s consideration of Inbenta’s ISO 27001 certification, upon which Ticketmaster relied. The ICO states that it “place[d] little weight on the mere provision of such certifications by Inbenta as a mechanism of securing the chat bot in the circumstances,” stressing that “ISO 27001 is an information security management standard, which does not apply directly to software development.” This suggests that companies should be wary of over-relying on third-party certification standards like ISO 27001, when assessing a vendor’s cybersecurity risk.
4. The Need to Perform Risk Assessments and Document Key Decisions: The ICO’s findings also reinforce the need for well-documented data security risk assessments. The ICO asserted that Ticketmaster was unable to show threat analysis documentation or that it took into consideration the risk of implementing third-party scripts into a webpage that processed personal data before the breach. In particular, the ICO noted that Ticketmaster had not performed an adequate risk assessment before or after implementing the chatbot.
Similarly, when addressing certain security measures that the ICO considered would have been appropriate to protect against the attack, the regulator noted that Ticketmaster represented to the ICO that “sub-resource integrity” controls were not a workable solution to the attack vector. But the ICO found that the company was “unable to demonstrate any formal decision making” surrounding its decision not to implement that control. Accordingly, when deploying new technologies and deciding what safeguards are, or are not, workable in practice, companies should consider documenting key decisions in case they are later called into question.
5. The Need to Evaluate Alerts of Potential Breaches Promptly: In reaching its decision, the ICO also highlighted what it appears to have considered deficiencies in Ticketmaster’s response to alerts of potential breaches.
Most notably, the ICO states that it took Ticketmaster nine weeks from first being alerted to a potential breach to run checks on its payments page and monitor traffic. The penalty notice recalls numerous external reports of potential issues to Ticketmaster as early as 12 April 2018, when Monzo, a UK-based challenger bank, communicated concerns to Ticketmaster.
A few weeks later, in early May 2018, a security researcher contacted the company via Twitter to inform it that he believed a malicious code had been injected into the chatbot script. The series of events, through which Ticketmaster arguably became aware of the breach, highlight the importance of responding quickly when third parties notify a company of concerns, and ensuring the appropriate escalation of alerts.
The ICO also commented on the scope of the instructions to Ticketmaster’s external incident response team, comprised of outside security vendors. In particular, the ICO criticised the company’s alleged instruction to review only the Microsoft Windows systems, rather than the entire payment environment, notwithstanding that there were indications that a payment card data breach was in progress.
While some might question the broader significance of the ICO’s penalty notice given the UK’s exit from the EU, it is worth noting that it was issued in the ICO’s capacity as lead supervisory authority under the GDPR. This means that the ICO’s findings will have been shared with other relevant EU data protection authorities and therefore may still be instructive for companies dealing with other EU regulators.
To subscribe to the Data Blog, please click here.
The authors would like to thank Debevoise trainee associates Jesse Hope and Charles Thompson for their contribution to this article.