, , ,

Why is the Ticketmaster data hack investigation taking so long?


At Hayes Connor, we have issued a claim against ticketing giant Ticketmaster following its 2018 data breach. But even though the privacy failure took place 18 months ago, we still have some way to go before compensation can be issued to victims. But why is the Ticketmaster data breach investigation taking so long?

Ticketmaster is refusing to accept any blame for the data hack

The Ticketmaster data breach happened when hackers gained access to thousands of Ticketmaster details via chatbot software hosted by Inbenta Technologies. It was this software that was compromised in the data breach incident. As such, Ticketmaster claims that all responsibility for the data breach rests with Inbenta.

However, Inbenta has refuted that it is responsible. It admits that it supplied the code accessed in the Ticketmaster hack, but says that it did not know Ticketmaster planned to use it on a payment page. If it had been told that its product was going to be used that way, Inbenta states that it would have advised against it.

The fact that a third-party is involved in this breach does complicate matters. But it doesn’t mean that Ticketmaster wasn’t to blame. Ticketmaster is the company responsible for the security of the data it collects (e.g. customer names, payment card details, etc.). As such, it was responsible for making sure that adequate checks and processes were in place when it came to any third-party integration. So, implicating Inbenta as the one responsible is both dishonest and legally neither here nor there.

In our expert opinion, Ticketmaster is attempting to using Inbenta as a scapegoat for this breach. And in doing so, is dragging out the compensation process.

The ICO is delaying its decisions

In group action cases, there is only so much that can be done until the UK’s data protection regulator (the ICO) has carried out its investigation into a breach, and announced its findings. And, despite our frustration at the wait, that’s as it should be. It’s important to know the extent of any security failures before compensation can be properly discussed.

But despite our understanding of the ICO and its processes, we are concerned about the time some decisions are taking.  And this includes the Ticketmaster data hack group action.

One possible reason for the ICO’s delay when it comes to Ticketmaster is that this case is legally very challenging. The Ticketmaster data breach affects people who bought tickets between September 2017 and 23 June 2018. With the GDPR coming into force on May 25th 2018, this means that the violation spans two different data protection acts:

  • The Data Protection Act (DPA) 1998
  • The Data Protection Act (DPA) 2018 (the UK’s version of the GDPR).

These acts have drastically different levels of fines. The first up to a maximum of £500,000 and the second up to £17 million (or 4% of an organisation’s annual turnover, whichever is higher).

It is not yet clear which legislation is relevant, but the breach could be judged under both. Alternatively, the entire data protection failure could be treated as a breach under GDPR as it kept happening after the new laws came into force. If GDPR is used, the Ticketmaster data breach case will set the tone for action to be taken by the ICO in future breaches.

So, it is understandable – in this instance at least – why the ICO would need time to get its decision right.

Ticketmaster data hack group action

At Hayes Connor, we are helping people who want to make a compensation claim because of the Ticketmaster data breach.

If you have already contacted us, and we have confirmed that you are part of our first group action, there is nothing for you to do at this stage. We will keep you updated, and as soon as the investigation is complete, we will take your case to the High Court.

If you have contacted us and are waiting to join our second group action, we’ll be in touch about anything we need from you. We will then progress your claim once our first group action has been decided in court.

If you haven’t yet contacted us, it’s not too late. If you have suffered a privacy violation caused by Ticketmaster’s breach of data privacy laws, you have a right to claim compensation. All you need to do is register with us and we will keep you updated.

There is no cost to join our group action, and no obligation to proceed.