December 7, 2020

2020 GDPR Fines on the Rise

Security & Compliance

How one chat bot cost Ticketmaster more than a million pounds and what you can do to avoid the same fate.

2020 has been a year of turbulence. Standards, social interactions, the way we do business… it all has changed. Also GDPR compliance, which is beginning to get very serious. It looks like it’s not just a Google and Facebook thing anymore.

Surprisingly, or perhaps not, there has been a rise in the level of activity by authorities regarding GDPR. And we want to take you through it and ask ourselves: why is GDPR compliance getting so serious?

Ticketmaster’s chatbot data breach**

That chatbot… If only we had used Cledara… That’s what the people at Ticketmaster must have thought when they got a £1.25million fine from the ICO for failing to keep its customer data safe. In other words, they received a fine for a massive data breach because they’d not completed  a risk assessment before selecting and implementing the tool. The problem? Their chatbot.

Ticketmaster suffered a breach (they took nine weeks to identify it after they were first alerted of fraudulent payments) earlier this year that compromised payment cards details belonging to 9.4 million customers. And it all took place in the SaaS app they used as a chatbot.

Angry customers, a damaged reputation, security issues to fix... and a £1.25million fine from ICO. That’s what Ticketmaster got out of all this. Ouch.

One might think that anyone could have a data breach and that it’s not Ticketmaster’s fault that bad people target them. And that’s right. But what’s not right, as the ICO sees it, is when Ticketmaster, or any other company, fails to run a risk assessment of parts of the business that might, in some scenario, compromise customer data. Because if this doesn’t take place, neither do preventive security measures. Hence the punitive action.

Data breaches of this size often result in action from the authorities, but what we are trying to say is that the size of the fine is often higher when the company is unable to demonstrate that it has the proper risk management process in place. And that is exactly what happened with Ticketmaster and their chatbot. They couldn't demonstrate completion of a risk assessment of a SaaS tool used on a critical page. Even if they ran a risk assessment, they couldn’t demonstrate it.

It’s a pity they didn’t use a SaaS risk assessment tool like Cledara because they could have saved themselves a lot of money.

But we are not here to talk about it. We are here to remind you that Ticketmaster is not alone in this.

Some GDPR precedents: Marriott and British Airways**

This October, Marriott and British Airways were also fined £18.4million and £20million respectively by the ICO for a failure to comply with GDPR standards. That’s three major fines in less than three months.

But there are some interesting takeaways to extract from both cases - both companies were able to considerably reduce their penalties, according to Ed Hayes, a lawyer on the matter.

In the case of BA, Hayes states, “the ICO took into account the fact that the airline notified the ICO promptly once it was aware of the breach; it did not gain financially from the breach; there were no relevant previous infringements to be considered, and it offered to compensate individuals who had suffered financial loss.” Penalty was also reduced due to “BA’s co-operation with its investigation and improvements to its IT security arrangements after the breach.” And lastly, COVID-19’s economic impact also mitigated the exemplary punishment.

Marriott had similar luck.

Customer data is important. At least know where it’s going**

Some data breaches are unavoidable, and companies have to live with the risk. But what the regulators demand is that you know where customer data is going, and what risks arise from hosting that data in the locations you host it. And we find that very reasonable.

This is where it gets complicated, because customer data is now scattered upon a number of SaaS tools: your CRM, your Google Drive… whatever it is. But it’s no longer kept behind a firewall in a local server. Because it’s the way it works in 2020. In fact, we have an entire series of blog posts on this.

The thing is, that along with this new storage panorama, comes the new challenge of managing this scattered data. And companies need help with it, because it’s not as easy as it seems. And that is why we built Cledara.

Suggestions and subscribe!

This post was inspired by questions provided by people like you. We love receiving new and interesting questions that help us think about data in new ways.  If you found this post interesting and have other questions that you’d like us to help answer, drop us a line at

Scroll down to subscribe to our blog!



Subscribe to our newsletter

Receive the latest insights in your inbox

Share this post

Subscribe to our newsletter and stay informed on the latest SaaS insights

Explore more

Explore more

9 Shadow IT Risks (And How to Avoid Them)

There’s no point triple locking your door if you leave a window wide open. Here’s 9 eye-watering shadow IT risks to beware of—and how to mitigate them.
Read more

IT Governance Framework: A Guide for Enterprise Companies

IT governance is a formal way to integrate an IT strategy into an organization's business strategy. In this post, we’ll cover everything you need to know about it.
Read more

How To Protect Your Business From Toll Fraud

Business fraud can take many forms. Learn what toll fraud is and how you can protect your business with Cledara.
Read more

Process Documentation for Startups: How To Get Started + Best Tools

Documenting processes can help you optimize your workflow and reduce the growing pains of scaling your startup. Here's how to get started.
Read more

Password Management Tips for SOC 2 Compliance

The right tools will help your company pass through a SOC 2 audit with ease.
Read more

EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know

Learn how to easily navigate around the latest compliance requirements by the EBA for outsourcing arrangements.
Read more

Why SaaS Management Will Help You Achieve the ISO 27001 Certification

How a proactive approach to understanding and controlling your software subscriptions can ease your road to ISO 27001 compliance
Read more

UK Companies to Comply with EBA Guidelines for Outsourcing Arrangements amid Brexit and COVID pandemic

We dug into the latest public statements by PRA and FCA on the EBA Guidelines and give you actionable advice on how to tackle their latest updates.
Read more

SaaSOps: Your IT Team's Latest Security Challenge

COVID has accelerated migration to the cloud. And has also exposed the security of your IT structure like never before. We give you seven tips for IT professionals to tackle these new challenges.
Read more

New EBA Outsourcing Guidelines: What SaaS is Considered Critical or Important?

We dig into the jargon behind the regulation to help you understand what needs to be done with your SaaS
Read more

The Way Fintech Startups Buy SaaS is About to Change Forever

New Outsourcing Guidelines from UK and European financial regulators set new requirements for the way regulated fintech startups and other financial services companies buy and manage their SaaS.
Read more

GDPR Fines and Lessons for Startups

GDPR fines are getting larger and more frequent. An average fine is now more than $500,000, making a GDPR fine equivalent to a whole seed round!
Read more