Background

On 1 December 2023, Personal Data Protection Commission (the “Commission”) commenced investigations against Ticketmaster – Singapore Pte. Ltd. (the “Organisation”) upon being alerted that users trying to buy tickets to an event on the Organisation’s website were able to access and view another user’s Ticketmaster account (the “Incident”).

As a result of the Incident, the personal data of a user, including their names, phone numbers, email addresses and order information (but not the ticket barcodes), was disclosed to a different user. The personal data of about 400 individuals was affected.

Investigations revealed that the Incident occurred because the Organisation had failed to configure its content distribution network (“CDN”) software correctly when the Organisation upgraded its software. The users’ personal data was stored as shared cache objects based on the users’ IP address. This led to a user’s personal data being shown to another user if these users had been assigned to the same IP address when using the Organisation’s website.

The Commission also found that the Organisation did not detect the misconfiguration as it conducted limited testing after the software upgrade. 

Remedial Actions

Upon discovering the incident, the Organisation immediately took the following actions:

(a) Rolled back its CDN software to an earlier version which resolved the cause of the Incident; and

(b) Developed a dedicated testing environment for its CDN software.

Voluntary Undertaking

Having considered the circumstances of the case, including the remedial steps taken by the Organisation, the Commission accepted a voluntary undertaking on 9 April 2024 (the “Undertaking”) from the Organisation to improve its compliance with the Personal Data Protection Act 2012 (“PDPA”).

The Organisation provided a comprehensive remediation plan to the Commission that sought to rectify the gaps identified during our investigations. As part of the Undertaking, the Organisation will be reviewing its internal onboarding processes and conduct appropriate training to its employees. The Organisation will also be exploring the use of an automated testing framework with a larger pool of test accounts that will help in the better identification of any anomalies.

The Commission accepted the Undertaking having considered the number of affected individuals, the types of personal data involved and the impact of the Incident. Accepting the Undertaking was also consistent with the Commission’s practice with respect to other similar personal data breaches.

The Commission will be verifying the Organisation’s compliance with its Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.