Data breach puts event industry under the regulatory microscope

Data breach puts event industry under the regulatory microscope

The news that Ticketmaster has lost significant amounts of high-risk customer data didn't take long to hit the mainstream:

The company itself appears, from the Guardian's report, to be downplaying the incident with their statement that the breach affected 'less than 5% of its global customer base' - but the latter is 230 million individuals - so that is, in actual fact, an awful lot of people.

There are some key points to be pulled out from The Guardian report, particularly in the new data protection framework which event companies would be well placed to pay attention to.

The news that Ticketmaster has lost significant amounts of high-risk customer data didn't take long to hit the mainstream:

Guardian report in full

The company itself appears, from the Guardian's report, to be downplaying the incident with their statement that the breach affected 'less than 5% of its global customer base' - but the latter is 230 million individuals - so that is, in actual fact, an awful lot of people.

There are some key points to be pulled out from The Guardian report, particularly in the new data protection framework which event companies would be well placed to pay attention to:

  • A third party noticed fraudulent activity and alerted Ticketmaster - but this wasn't one of their own processors - it was a financial organisation with clear compliance and governance capabilities.
    Monzo release on how they told Ticketmaster about the potential breach
  • This third party alerted Ticketmaster on 12th April - but it was in its words 'unable to get any traction with the company'. This opens the question as to whether there was a clear point of contact in Ticketmaster for dealing with this kind of communication. It also suggests that there was no formal process in place for dealing with such information which should have escalated the incident to the individuals who could expedite the process of ensuring it was shut down as quickly as possible.
    Wired investigates the factors behind Ticketmaster's failure to respond
  • Given that some banks knew about this fraudulent activity, and there was a clear link to Ticketmaster, why did it take the latter so long to close it down. Their own communications are warning that anyone who bought tickets from them between an unspecified date in February and 23rd June may have been affected. Ticketmaster's delay appears, at face value, to have doubled the time that customers' data was put at risk.
    What took Ticketmaster so long?

But can we lay all of the blame at Ticketmaster's door? The malware responsible for this breach was actually discovered on a third-party's product. This nasty little piece of code was exporting customer's data to an unknown third party, including payment details. If you were feeling charitable you would perhaps say that this not the fault of Ticketmaster and the third party processor needs to take the rap.

Not so fast. Ticketmaster engaged the third party because (and I am paraphrasing) dealing with lots of repetitive questions from customers was tiresome and expensive. They purposefully offloaded customer care to a cheaper solution. There is, of course, nothing wrong with this. Every company exists to make a profit. But if you aren't going to do something yourself, and it is a fundamental of your business model, then surely you need to be completely sure that the partners you are engaging are as diligent about keeping your customer data safe as you are? (I'm going to leave the inference behind that question hanging...)

Personal experience tells me that Ticketmaster is not alone in taking what, at face value, looks very much like a laissez-faire attitude to compliance. The event industry is not renowned for embracing compliance until it is forced upon them; many organisations are driven by creative entrepreneurs with short term objectives and financial goals that do not sit well with investing in infrastructure or 'unnecessary headcount'.

Unfortunately, Ticketmaster's delay in dealing with the issue means that this breach has been reported under the new GDPR regime and not the previous Data Protection Directive. The questions that will be asked will be around whether or not the company was playing fast and loose with regards to its customers' data, and undoubtedly the penalties will be commensurate with the answer. I'll leave it to you to decide whether you think a lack of action when a bank tells you they think customer payment cards have been compromised shows a commitment to data security or a complete disregard of compliance obligations.

The final point to raise on this whole matter is the imperative of choosing and using the right partners if you need assistance with managing your visitor data, be they a ticketing agency or a registration company. As yet there is no certification to assist with your choice, but you will get a clear view of whether you should be engaging an organisation to manage your registration, ticket sales and other data tasks by taking a look at the following:

  • What does their privacy notice look like? Is it something the IT department has knocked up or does it really try to explain what the company does with data?
  • Does the company have any named data protection expertise? Not just a couple of junior staff who have done 30 minutes online training or one of the Directors who has had DPO added to their job role.
  • Is the company happy to talk to you about staff training or the steps they are taking to ensure they are processing the data as securely as possible.
  • If they are handling sensitive data, are they happy to show you their PCI-DSS compliance/ISO 27001 or cyber essentials accreditation? Are they signatories to any industry codes of practice?
  • Do they deal with contractual issues promptly, or do they fudge it until you let a project proceed because you are out of time and then somehow the documents never get signed?

These questions will give you a very clear indication of whether you should trust a third party (processor) with your most valuable asset. If they are someone who will stand shoulder to shoulder with you when something untoward happens then they are the partner for you. The slightest inkling that they might be someone who would disappear at the first sign of trouble should make you think twice about engaging their services.

People make events. People = data. Data may not be as sexy as the creativity you bring to the party, but it is your most important asset. It is time to invest in the right tools and people to look after it.

Or you might just find yourself in Ticketmaster's shoes... and who wants to be there.

share