Ticketmaster is facing a £5 million claim following a major data breach of its UK websites last year.
More than 650 customers affected by the security breach are taking legal action against the ticket sales company.
Up to 40,000 UK Ticketmaster customers are believed to have had “some personal or payment information” stolen following the data security breach. Customer data potentially accessed included addresses, phone numbers, payment info and login details.
Those affected are said to be mainly in the UK and had bought tickets from the main Ticketmaster UK website or sister sites TicketWeb or Get Me In! between February and June last year.
The breach was first made public by Ticketmaster in June 2018, when it admitted its sites had been hacked by malicious software on third-party customer support product, Inbenta Technologies. The product was immediately disabled across the company’s websites and all customers who may have been affected were contacted.
However, it was later revealed the hack had been brought to Ticketmaster’s attention two months earlier by digital bank Monzo, on the 12th April.
The customers’ legal advisers have said more than two thirds of their clients have suffered multiple fraudulent transactions since the serious data breach, with the remainder still at risk of having their data used in fraudulent ways. They have also stated the litigation follows “unsuccessful negotiations” to agree an out of court settlement.
Investigations by the UK’s National Crime Agency and Information Commissioner’s Office (ICO) into the incident are ongoing.
The incident was notified of a month after the European Union’s General Data Protection Regulation went live. Ticketmaster said it was confident it had complied with the GDPR in how it had responded to the incident and notified affected individuals. This is despite Monzo revealing that the firm had initially denied there was any problem two months earlier.
The ICO is yet to decide whether the new data protection regulations should apply to the case given the breach had occurred before GDPR came into force, or if the case is to come under pre-existing data protection law.