8 July 2018

Data Protection Update: Ticketmaster data breach affects up to 40,000 UK customers

Ticketmaster, the concert ticket vendor, has established that a malware attack on a third-party vendor has resulted in as many as five per cent (40,000 UK) of its customer base being put at risk of identity theft or fraud. In addition to their Ticketmaster login information, users’ payment data, addresses, name and phone numbers are also at risk.

It appears that Inbenta Technologies, who operate a chatbot on Ticketmaster’s site, had modified a line of JavaScript code in order to customise its basic product for Ticketmaster. Ticketmaster then used this code (without Inbenta’s knowledge) on its payments page. Hackers discovered this script, and then modified it to extract payment information, harvesting user information since an unknown date in February 2018.

It is understood that Ticketmaster first detected the breach on June 23rd 2018. However, it has been reported that online bank Monzo notified Ticketmaster of hacking concerns in April after it had identified fraudulent activity on bank cards of customers who had made purchases from Ticketmaster.

The ICO is investigating the data breach and in a tweet stated “organisations have a legal duty to ensure that people’s personal information is held securely. We have been made aware of an issue concerning Ticketmaster and will be making enquiries”. The data breach is the first major computer security breach to have been reported since the GDPR came into effect earlier this year. It is understood that the ICO will make a decision as to whether the breach should be dealt with under the 1998 or the 2018 Data Protection Acts. The Data Protection Act 2018 only came into force on May 23rd, after the initial discovery but before the incident was disclosed.

The ICO’s statement can be viewed here.

Misconfigured home security camera sends data to the wrong household

Following the recent incident involving an Alexa virtual assistant sending a conversation to a random contact, another household device has been involved in breaching personal data. This time a Swann Communications home security camera sent video footage to a third person’s app. The breach came to light after a BBC journalist began receiving motion-triggered video clips from an unknown family’s home on the dedicated camera app on his phone. It is reported that the clips featured people passing close to the camera and a child’s voice in the background.

Swann Communications have stated that the incident was a “one-off” due to human error resulting in the two cameras being manufactured with the same security key. However, only last month another customer reported a similar problem after receiving live CCTV footage from a local pub. This incident was thought to have been caused by both parties registering their products with the same username and password.

As the ‘Internet of Things’ becomes ever more popular with increasing numbers of household devices being connected to the internet, these kinds of privacy breaches are set to increase. The incident is a timely reminder that identifiable imagery is considered personal data under the GDPR, and therefore, at a data protection level requires the same level of care as other forms of personal data. The ICO has issued guidance on CCTV filming carried out by others which can be viewed here.

UK Government launches consultation over data protection fee exemptions

The UK Government has announced that it has launched a public consultation concerning the exemptions available from paying a data protection fee to the ICO. Every organisation or sole trader who processes personal information is required by law to pay a data protection fee to the ICO, unless they are legally exempt. The ICO’s data protection activities are funded by charges paid by data controllers and under the GDPR the Government is required to ensure an adequate level of funding.

The consultation is seeking to obtain views as to whether the current exemptions from paying charges are still appropriate and whether any new exemptions should be introduced. Currently, exemptions are available for people or organisations that process data for a ‘core business purpose’ which can include staff administration, and advertising, marketing and public relations in connection with their own business activity. Other exemptions include processing for the purposes of judicial functions and personal, family or household affairs. Some not for profit organisations are also exempt. Whilst not a full exemption, small occupational pension schemes and charities are eligible to pay the minimal tier 1 fee (£40).

The Government has stated that since most of the exemptions date back many years, and to a time when digital processing of personal data was not as prevalent, there is merit in reviewing the exemptions to ensure that they are still appropriate and fit for the digital age. The consultation is also soliciting feedback from stakeholders on whether exemptions should be provided for elected representatives and members of the House of Lords.

It is important to note that organisations that are exempt from paying the charges are still required to comply with the Data Protection Act 2018, including ensuring data is processed lawfully and fairly, ensuring personal data is adequate, relevant and up to date, and ensuring personal data is kept secure.

The consultation closes at 4pm on August 1st 2018. To view the consultation document and participate, click here.

BT fined £77,000 by the ICO over spam emails

The ICO has fined British Telecommunications plc (BT) £77,000 for sending nearly five million nuisance emails to customers. The ICO’s investigation found that BT did not have customers’ consent to send direct marketing emails. The Commissioner found that all of the emails sent constituted marketing and were not simply service messages. The messages were found to have been delivered to recipients who had not given the necessary consent and were therefore sent in breach of regulation 22 of the Privacy and Electronic Communications Regulations (2003).

The 4.9 million emails were sent between December 2015 and November 2016 promoting three charity initiatives: the BT ‘My Donate’ platform, Giving Tuesday and Stand up to Cancer.

The ICO concluded that although BT did not deliberately break the rules, it should have known the risks and it failed to take reasonable steps to prevent them. ICO’s Head of Enforcement, Steve Eckersley, commented “organisations have a responsibility to ensure they are acting within the law. Where they do not, the ICO can and will take action. This particular investigation was prompted by a concerned member of the public. We investigated the matter and uncovered the full extent of this activity which shows how important it is for people to report nuisance emails.”

The fine is another reminder of the pitfalls to avoid when communicating with customers. The ICO’s press statement can read here and the penalty notice viewed here.