In a staggering data protection failure, secondary ticketing giant Viagogo has been sending the highly sensitive personal details of strangers to ticket buyers, a major investigation has uncovered.
The scandal involves tickets for major events purchased through the controversial resale site. Upon completion of the sale, buyers are receiving official confirmation emails that contain not their own information, but the full name, passport number, and date of birth of the original ticket seller—a complete stranger.
A Systemic Failure in Data Handling
This is not an isolated glitch but appears to be a systemic issue within Viagogo's operations. The personal data, required for events with strict anti-touting rules, is being blindly forwarded to the new purchaser instead of being securely managed or redacted by the platform.
One affected individual, who received a stranger's passport details, described the breach as "deeply alarming," stating it felt like "a gift for fraudsters." The sheer volume of data being mishandled suggests thousands of UK citizens could be at risk of identity fraud.
GDPR and Legal Implications
This practice places Viagogo in direct violation of the UK's General Data Protection Regulation (GDPR). The Information Commissioner's Office (ICO), the UK's data watchdog, has confirmed it is making enquiries into the concerning reports.
Legal experts are sounding the alarm, noting that transmitting such sensitive information—especially passport data, which is a goldmine for organised crime—without consent is a clear and serious breach of data protection law, potentially incurring massive fines.
Viagogo's Inadequate Response
When confronted with the evidence, Viagogo's response has been widely criticised as inadequate. The company initially deflected blame onto third-party sellers, claiming it was their responsibility to handle data correctly.
However, this stance ignores Viagogo's fundamental role as the data processor. The platform's terms and conditions attempt to absolve it of liability, but legal analysts argue these clauses are unlikely to hold up against GDPR's stringent requirements for data security and privacy.
What This Means for Consumers
For the public, this breach creates a dual threat:
- Risk to Sellers: Individuals who sold tickets in good faith now have their most personal data circulating freely among strangers.
- Risk to Buyers: Those who purchased tickets are now in possession of someone else's sensitive data, potentially implicating them in a data breach they did not cause.
Consumer advocacy groups are urging anyone who has bought or sold tickets on Viagogo to be extra vigilant for signs of identity theft and to consider reporting the issue to the ICO.
