Ticketmaster has notified up to as many as 40,000 UK customers that their personal and payment information may have been accessed by an unknown third party. It says that on 23 June 2018 it identified malicious software on a customer support product hosted by a third party supplier. It is understood that the customers affected purchased or attempted to purchase tickets between February and 23 June 2018.
The Information Commissioner’s Office (‘ICO’) has confirmed that it is investigating the matter. If Ticketmaster is found to have failed in its obligation to hold third party data securely it could face a fine under the General Data Protection Regulation (‘GDPR’). The fines available to the ICO are significantly higher following the inception of the GDPR last month. The maximum fine is now €20 million or 4% of turnover (whichever is higher).
If customers can establish that the GDPR has been breached they may also be able to bring a civil claim for compensation for any consequential damage and distress they have suffered. Customers may also have additional claims for negligence, the misuse of private information or breach of confidence.
This is the latest in a series of high profile customer data leaks. Recently publicised examples affecting UK customers include Dixons Carphone, Equifax, the University of East Anglia, the University of Greenwich, Gloucestershire Police and London Bridge Plastic Surgery. These leaks were or are being investigated under the previous data protection regime (the Data Protection Act 1998).
Click here to find out how Brett Wilson LLP privacy solicitors can assist you if your personal data has been leaked.