How to launder personal data like a ticket master, and get away with it
Data leaks are something that have been all too frequent of late, and the consequences can be devastating. These leaks can result in the exposure of sensitive information, including personal details, financial information, and confidential business data. Malicious actors are constantly looking for ways to exploit vulnerabilities in digital systems and steal valuable data through any means necessary.?
Through my experience working in fintech and for big data companies in various capacities, I've come to understand the importance of having strong data handling policies and procedures. With many years of dealing with secure data handling, I've learned that having such policies in place is crucial to ensure effective data security.
Policies should outline how sensitive data is collected, stored, accessed, and transmitted, and specify who has permission to access it. Employees should receive training to ensure compliance with these policies, which should also include guidelines for data retention, disposal and proper handling.
Late last year I was elated to manage to get limited access tickets from Ticketmaster Australia to a band I have followed for some time. It was one of those bands that helps get you through some very challenging times.
That all changed this week with the exposure of personal data from the Ticketmaster event partner company Destroy all lines, in the form of a group email to their "VIP" list which has had its ramifications largely ignored.
The Devil is in the detail, or lack thereof
In hindsight reviewing the purchase policies prior to ticket acquisition would have been a great idea, but those special tickets were selling out fast ... and FOMO.
Digging into the Ticketmaster Australia policies theres a few holes that are really interesting, particularly those related to third party "event partner" status.
12.6 Ticketmaster Not Liable for Event Partner
"Ticketmaster is not responsible for the actions or failures of an Event Partner. Under no circumstances shall Ticketmaster be liable for any obligations owed to you by an Event Partner or for death or personal injury suffered by you or your guests arising out of your attendance at an event, unless caused directly by Ticketmaster's negligence."
I do understand why this is there in order to protect the parent companies interest and absolve itself in case the event doesn't quite go to plan.
However the Privacy Policy is where the hole really start to appear:
We may share your information with our Event Partners so that they can run the event and for other reasons described in their privacy policies.
In my mind this would mean some sort of vetting or review process by Ticketmaster to ensure that event partner companies were handling ticket holder data correctly. Especially since they had my name, address and other PII (Personal Identifiable Information) which I'm always quite wary of where it ends up.
More importantly I would want to know that event partner staff were trained to not only handle data correctly, but were able to know what to do in the event of a breech.
Sadly this appears not to be the case...
领英推荐
I attempted multiple times to reach out to both Ticketmaster Australia and the Destroy All Lines representative to further clarify the data handling policies from the "event provider" Destroy All Lines.
To-date neither have been able to provide a privacy policy or a data handling policy for Destroy All Lines. Additionally there is nothing available on their website and nothing additional was attached during the time of purchase beyond Ticketmaster booking site where the transaction took place.
Questionable data handling practices
I've reached out multiple times to invite Ticketmaster Australia to not only review and discuss their policies further, but also seeking a full refund given that they were not able to meet the contractual obligations outlaid in their own terms.
However, they don't seem to care and the only response back so far seems to be a canned laugh track (only I'm not laughing).
I have also requested to find out what personal information exactly Destroy All Lines has, directly with the event partner company and Ticketmaster . This included also emailing [email protected] to obtain further information.
But, I am still awaiting a follow up response.
An interesting loop hole on marketplace Data Laundering?
This whole situation seems to give marketplaces the right to absolve themselves of needing to follow end-to-end data handling procedures; by ending their responsibility once the data leaves their company border.
Being fed up with lack of responsible resolution, I have already raised the incident with the appropriate authorities. While this may not achieve much more than a corporate slap on the wrist; my hope here is to bring education to others so that they may avoid similar issues of easily avoidable data laundering.
It does also raise the questions we need to be asking, especially in a time where data handling practices are being brought into question by consumers, companies and governments.
What do you think? Making a mountain out of a molehill or is this poor form when handling sensitive information?
Update, 2nd March: Refund obtained, however some questionable calls in the past few days tells me the data side of this tale is just getting started.
Senior Program Manager
2 年Thanks DeveloperSteve Coochin I have had a similar experience after tickets purchased for concerts last weekend. Very disappointed that I am now the target of multiple spam/phishing attempts from organisations that know my name. It reminds me of the holiday caravan and camping shows where we entered a competition and were hounded for many months afterwards by incidental / ancillary opportunists. I feel let down by Ticketmaster Australia. Please everyone, keep vigilant and don't let them get away with it.