Procurement 29 June 2018

3 cyber security lessons business owners can take from the Ticketmaster hack

Under GDPR rules, fines could be as high as 4% of turnover
Ticketmaster is the latest big brand to come under fire following a data breach that has led to the loss of 40, 000 customer details. So what lessons can small business owners take from the hack?

The company has blamed the breach on malware which entered its system via a third-party chat-bot vendor, Inbenta Technologies, with customer names, addresses, email addresses, telephone numbers and payment details all transferred to an unknown third party.

So far, so damaging. But to make matters worse, Monzo, the challenger bank, has come out to say that it actually informed Ticketmaster about a potential hack back in April, but the company failed to act. The National Crime Agency and the Information Commissioner’s Office are now investigating, and if they discover that Ticketmaster could have done more to halt the damage, serious repercussions could be on the cards.

Under GDPR rules, fines could be as high as 4% of turnover plus as this breach involves payment details, Ticketmaster could also face fines from the PCIDSS (Payment Card Industry Data Security Standard), which regulates the security of payment information. And that’s before calculating loss of customer trust and reputational damage.

Read more about GDPR and data breaches:

Cyber attacks and data breaches are an unfortunate part of business today and just being hit doesnt necessarily mean you’ve done something wrong. But companies have a responsibility to do their utmost to protect customer data and act as transparently as possible if they do identify an issue.

So, what can other companies learn from Ticketmaster’s response (or lack of) Ben Rose, head of cyber at insurance provider?Digital Risks, offers small business owners three cyber security lessons from the fallout.

  1. Top-down cyber security

Ticketmaster’s apparent failure to respond to Monzo’s initial concerns suggest that cyber security should be a higher priority for staff and leadership. Cyber security can no longer be left to the IT person to deal with; it is an executive level issue and must be treated as such.

The management team must lead by example, while working together to ensure the message is communicated effectively across the whole business. So, if there is a potential issue, staff and management know what to do.

  1. Honesty is the best policy

The new GDPR rules state that companies must disclose a breach within 72 hours of becoming aware of it. Failure to do so won’t just seem like you’ve got something to hide, it could also hinder investigations into the cause of the breach and prevent customers from taking actions that could help safeguard their information.

Speed is of the essence following a cyber-attack, so it’s valuable to have IT forensics, legal and PR support ready to go if you are hit.

  1. Vendor monitoring