Ticketmaster is the latest big brand to come under fire following a data breach that has led to the loss of 40,000 customer details. The company has blamed the breach on malware which entered its system via a third-party chatbot vendor, Inbenta Technologies, with customer names, addresses, email addresses, telephone numbers and payment details all transferred to an unknown third party.
So far, so damaging. But to make matters worse, Monzo, the challenger bank, has come out to say that it actually informed Ticketmaster about a potential hack back in April, but the company failed to act. The National Crime Agency and the Information Commissioner’s Office are now investigating, and if they discover that Ticketmaster could have done more to halt the damage, serious repercussions could be on the cards.
Under GDPR rules, fines could be as high as 4% of turnover plus as this breach involves payment details, Ticketmaster could also face fines from the Payment Card Industry Security Standards, which regulates the security of payment information. And that’s before calculating loss of customer trust and reputational damage.
Cyber-attacks and data breaches are an unfortunate part of business today and just being hit doesn’t necessarily mean you’ve done something wrong. But companies have a responsibility to do their utmost to protect customer data and act as transparently as possible if they do identify an issue.
So, what can other businesses learn from Ticketmaster’s response (or lack of)?
Top down cyber security
Ticketmaster’s apparent failure to respond to Monzo’s initial concerns suggest that cyber security should be a higher priority for staff and leadership. Cyber security can no longer be left to the IT person to deal with; it is an executive level issue and must be treated as such. The management team must lead by example, while working together to ensure the message is communicated effectively across the whole business. So if there is a potential issue, staff and management know what to do.
Honesty is the best policy
The new GDPR rules state that companies must disclose a breach within 72 hours of becoming aware of it. Failure to do so won’t just seem like you’ve got something to hide, it could also hinder investigations into the cause of the breach and prevent customers from taking actions that could help safeguard their information. Speed is of the essence following a cyber-attack, so it’s valuable to have IT forensics, legal and PR support ready to go if you are hit.
It’s not clear whether Inbenta Technologies was at fault in this incident, as they claim the breach came via a piece of customised code applied to the Ticketmaster payments page without their knowledge. However, it still highlights the importance of carefully choosing the vendors you work with before giving them access to sensitive business and customer data. Checking a vendor’s security should form part of the vetting and onboarding process, including investigating how your data will be stored, whether they have access controls for employees and proof of compliance with GDPR.
It might be the big brands that hit the headlines, but SMEs are just as much of a target for hackers, with Government figures showing 42% of small businesses fell victim in the last 12 months. Often seen as a soft target due to lack of expertise and time to dedicate to security, small firms are also considered a ‘back door’ into bigger organisations, where cyber criminals can inflict even greater damage.
So, if you’re not already, get up to speed on the technical and human risks that can make your systems vulnerable, as well as how to respond if you are hit. Otherwise you could find your own business in the cyber spotlight.
As featured in Business Advice