Ticketmaster: We're not liable for credit card badness because the hack straddled GDPR day

Ticketmaster: We're not liable for credit card badness because the hack straddled GDPR day

Ticketmaster is claiming that the ICO's £1.25m data breach fine clears it of any responsibility for its network being infected by card-skimming malware, according to correspondence seen by The Register.


The firm was fined earlier this month after UK data regulator, the Information Commissioner's Office, ruled it had broken data protection laws by failing to properly secure its network.


Yet Ticketmaster is insisting that it is not liable to a customer for the compromise of its network, attempting to exploit an apparent legal loophole to squeeze out of Reg reader Richard's fight for compensation.


When it fined Ticketmaster, the ICO said: "The total duration of the personal data breach was between February 2018 and 23 June 2018… however, the dates under consideration for the purposes of this penalty notice were from 25 May 2018 to 23 June 2018."


Those dates are significant: while the ICO made clear findings that Ticketmaster's infrastructure was compromised in February, its fine only covered the period from May, when higher penalties under the EU's General Data Protection Regulation (GDPR) were available – and now Ticketmaster seemingly wants to use that to avoid admitting liability for its systems becoming compromised in the first place.


Our reader Richard travelled to the US in February 2018. Both his debit and credit cards had been cancelled by his bank, which had spotted an attempt to fraudulently use them on Ticketmaster. This was long before the ticket resale site got its act together and removed a compromised Javascript-powered chatbot from its payments page. Having struggled to find alternate sources of money while Stateside, Richard demanded compensation from Ticketmaster.


In a letter seen by The Register, Ticketmaster's lawyers told Richard:

This came ..