← All breach guides

Ticketmaster data breaches — exercise your GDPR rights

Ticketmaster has suffered two major data breaches: a 2018 Magecart attack that exposed financial details of 9.4 million European customers, and a 2024 attack via its Snowflake cloud environment that exposed data on approximately 560 million customers globally. The UK ICO fined Ticketmaster UK £1.25 million over the 2018 breach.

⚖️ Regulatory action: Ticketmaster UK was fined £1.25 million by the UK ICO in November 2020 for the 2018 breach. The 2024 Snowflake breach is subject to ongoing regulatory review.

What happened

2024 560 million customers affected

The hacking group ShinyHunters obtained credentials via infostealer malware and used them to access Ticketmaster's data held in a Snowflake cloud environment, exfiltrating approximately 1.3 terabytes of data between April and May 2024. The stolen dataset — put up for sale on a dark-web forum in late May 2024 — included names, addresses, phone numbers, partial payment card details, and ticket purchase history for hundreds of millions of customers.

Data exposed:
  • Full names
  • Addresses
  • Phone numbers
  • Email addresses
  • Partial payment card numbers and expiry dates
  • Ticket purchase history
  • Order details
2018 9.4 million European customers affected

Malicious code was injected into a third-party chatbot embedded on Ticketmaster's payment pages, allowing attackers to skim names and payment card details in real time. The ICO found Ticketmaster failed to act promptly after being alerted to suspicious activity by its bank.

Data exposed:
  • Full names
  • Payment card numbers
  • Card expiry dates
  • CVV numbers

What you can do

If you have ever purchased tickets through Ticketmaster, your personal and financial data may have been exposed in one or both breaches. A GDPR subject access request reveals exactly what Ticketmaster holds, how long they retain it, and whether it has been shared with third parties.

You have two key rights under GDPR:

Note: Submit data requests via Ticketmaster's privacy portal or email privacy@ticketmaster.com. For UK users: privacy@ticketmaster.co.uk. Privacy portal ↗

Generate your access request

This letter is pre-addressed to Ticketmaster UK Limited, the official EU data controller for Ticketmaster.

To: Ticketmaster UK Limited
Media House, Mandela Way, London, SE1 5SS, United Kingdom

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: