£1.25 million may seem like a high fine when balanced against the old maximum rate of £500,000, but it seems very low when balanced against the maximum fine possible under the Data Protection Act 2018 and the GDPR.
The fine also looks fairly low when compared to those issued to BA and Marriott recently, so have Ticketmaster got off lightly?
From the penalty notice it is not immediately possible to see the calculation of how the level of the fine was set (and reduced for COVID-related reasons). It is clear that the right steps were followed, but readers may still be left trying to figure out the ICO's exact formula for being "effective, proportionate and dissuasive".
On our reading a breach that affected 9.4 million users, including 1.5 million in the UK, and that included full payment card details with expiry date and CCV numbers, that led to 60,000 individuals being the victim of fraud and another 6,000 having to have their payment cards replaced, is a serious breach with significant harm.
In the BA and Marriott cases the numbers of affected individuals may have been greater, but there was no actual evidence of harm, yet their fines were many times greater than Ticketmaster.
Although companies don’t expect their regulators to reveal exactly how they calculate fines, some level of consistency and predictability are important when developing a regulatory landscape – if for no other reason than it reduces the likelihood that organisations will challenge penalties they consider to have been wrongly assessed.
The concern for many large organisations will be that the ICO, on the evidence of its recent enforcement actions, appears to be focused on size of business rather than actual harm to individuals when setting fines, and that is not effective or dissuasive.
“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.