, , ,

Is Ticketmaster really not to blame for its data breach?


At Hayes Connor, we have issued a claim for damages of up to £5 million against ticketing giant Ticketmaster following its 2018 data breach. This is the first high profile action to be launched on behalf of multiple claimants in the UK since GDPR came into force.

But, to date, Ticketmaster is refusing to accept any blame for the breach. Despite the fact that, almost a year after the hack:

  • 63% of all the clients we took on have suffered multiple fraudulent transactions on their payment cards
  • 31% of all clients involved in this case suffered from distress and/or psychological trauma.

Instead, Ticketmaster claims that all responsibility for the data breach rests with Inbenta – a software provider that supplied Ticketmaster with chatbot software. It is this software that was compromised in the data breach incident.

Lawyers for the event ticket sales website said that Ticketmaster “is of the belief that it is not responsible for the Potential Security Incident”. That’s despite the fact that it was Ticketmaster that put the third-party Javascript on a payment page.

What actually happened in the Ticketmaster data breach?

Malicious hacking group Magecart was able to gain access to thousands of Ticketmaster’s customer payment details via a “customer support product hosted by Inbenta Technologies”.

The malware used compromises webpage elements – typically Javascript – to gain access to customer payment cards and other sensitive details.

However, Inbenta has refuted that it is responsible, stating that:

“Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code… Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it.”

Is Ticketmaster right?

Our data protection experts don’t think so. In fact, we strongly disagree with this defence and are currently collating evidence to prove that Ticketmaster was liable for the breach.

In addition, according to RiskIQ, Ticketmaster also used SocialPlus  – another company allegedly compromised by Magecart. So, while Inbenta has been established as the entry point for the malicious attack on its systems, at least one other source containing the skimmer had access to the Ticketmaster websites. This indicates a failure in security at Ticketmaster.

Indeed, where a third-party has been involved in a breach (e.g. in the Ticketmaster data breach), this doesn’t mean the company that collected your data isn’t to blame. It is their responsibility to put adequate checks and processes in place to secure vendor access. So, implicating Inbenta as the bad actor is both dishonest and legally neither here nor there.

In our expert opinion, Ticketmaster is using Inbenta as a scapegoat for this breach. And in doing so, it trying to stop fair and right reparation being paid to its victims. But, having seen the evidence supplied by Inbenta, we are more confident than ever that Ticketmaster is guilty of severe data protection failures, and that it will be made to compensate victims.

Ticketmaster data breach group action

At Hayes Connor, we are registering people who are interested in making a compensation claim because of the Ticketmaster data breach. Once you register with us, we will be in touch to find out more about how the breach affected you.

Our first group action is ready to be heard in the High Court. But, because of the number of people affected by the Ticketmaster security breach, we are now registering people who want to join a second wave of claimants. We will then progress your claim once our first group action has been decided in court.

Crucially, you do not need to have suffered any financial loss or emotional distress to make a claim. If you have suffered a privacy violation caused by Ticketmaster’s breach of the Data Protection Act, you have a right to claim compensation.