Check your chat bots: lessons from Ticketmaster’s £1.25m fine
In November, Ticketmaster was fined £1.25 million by the ICO for failing to appropriately secure customer data. Similar levels of penalties have also been levied against the likes of Marriott International and British Airways. The amount of these fines reflects the size and turnover of these particular businesses, but also the willingness of the ICO to hand out the toughest penalties for serious breaches of data protection laws. This underlines that no business can afford not to take data security seriously.
Ticketmaster had introduced a third party chat bot function onto its website, crucially including it on its payment page. According to the third party provider Inbenta Technologies Inc., the chat bot had not been intended for use on the customer payments page due to the security risk posed.
How could this have been prevented?
The increased likelihood and severity of an attack should have been recognised by Ticketmaster, with financial data attacks more likely through a third party supply chain where security measures may be less secure. Ticketmaster should have ensured an acceptable level of security was maintained, and tested the security measures between the chat bot and its payments page. Ultimately, this function should not have been included on its payment page at all.
Ticketmaster has also been criticised for its delayed response after being alerted by banks of the potential fraud. The issue with the chat bot was not detected quickly enough, and Ticketmaster did not begin monitoring network traffic through the online payment page until nine weeks after the alert.
Top Tips for businesses:
- ensure tight security controls around payment card details;
- do a formal risk assessment before deploying new tech or using existing tech with different data sets;
- ensure data security policies are up to date and procedures followed, with staff properly trained to spot and respond to risks and breaches; and
- check third party data processing arrangements comply with the GDPR and provide suitable contractual protections to you in the event of problems.
For information and advice in relation to data protection, please contact Elliot Fry at firstname.lastname@example.org.