The UK’s Information Commissioner’s Office (ICO) says Ticketmaster “failed to put appropriate security measures in place” to prevent a cyber-attack on a third-party-hosted chatbot installed on its online payment page.

The breach, which began in early 2018, compromised the names, payment card numbers, expiry dates and CVV numbers, of up to 9.4 million customers across Europe, including 1.5 million in the UK.

Despite the fact that Monzo, Barclays, CBA, Barclaycard, AmEx and Mastercard all told Ticketmaster about potential fraud on cards, for weeks the “company failed to identify the problem,” says the ICO. It took nine weeks from being warned about possible fraud for the firm to start monitoring the network traffic through its online payment page.

Some 60,000 payment cards belonging to Barclays customers were subjected to known fraud, while Monzo had to replace 6000 cards over suspected fraudulent use.

James Dipple-Johnstone, deputy commissioner, ICO, says: “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”

The fine only relates to the breach from 25 May 2018, when new rules under GDPR came into effect.

Digital payments will be discussed in depth at EBAday 2020. For delegate passes, register now and join leaders from across Europe’s payments ecosystem as EBAday addresses ‘The Turning Point in Payments Transformation’.