The U.K. Information Commissioner’s Office (ICO) on Friday fined Ticketmaster £1.25 million (U.S. $1.6 million) for its failures relating to a 2018 data breach that exposed the personal information of 9.4 million customers across Europe.

The fine comes under the EU’s General Data Protection Regulation (GDPR), which took effect on May 25, 2018. Though the Ticketmaster breach occurred months before, in February, it wasn’t shut down until June 23, 2018. The penalty only relates to the period from the start of the GDPR through the end of the breach.

The ICO notified Ticketmaster UK of the intended penalty in February and said it considered the economic effects of COVID-19 in determining the fine amount. Through a spokesperson, Ticketmaster said it would appeal.

The ICO alleged Ticketmaster “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.”

The breach occurred when a hacker accessed personal information—including names, payment card numbers, expiry dates, and CVV numbers—thorough the bot. The bot was operated by a third party, Inbenta Technologies, which later said Ticketmaster misused the JavaScript code it wrote.

Despite being notified by several different financial institutions about the breach, Ticketmaster failed to identify the problem and left the bot on its payments page for nine weeks after first being alerted to the issue, according to the ICO.

More than 60,000 Barclays Bank credit cards were compromised, and Monzo Bank replaced 6,000 cards as a result of the breach, the ICO said in its penalty notice. Customers of the Commonwealth Bank of Australia, Mastercard, and American Express also reported fraud connected to Ticketmaster.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” stated ICO Deputy Commissioner James Dipple-Johnstone. “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”

Of the more than nine million European customers affected by the breach, 1.5 million were based in the United Kingdom.

“Ticketmaster takes fans’ data privacy and trust very seriously,” the company spokesperson said. “Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.”

The fine against Ticketmaster represents the fourth issued by the ICO under the GDPR, following penalties against British Airways, hotel group Marriott International, and London-based pharmacy Doorstep Dispensaree. Both British Airways and Marriott received dramatically reduced fines that acknowledged the effects of the coronavirus pandemic.