Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Ticketmaster Fined $10 Million for Hacking CompetitorThe Ticket Seller Used Credentials Supplied by a Competitor's Former Staffer
Ticketmaster has agreed to pay a $10 million criminal fine to resolve charges that the company illegally accessed an unnamed competitor's computer system on at least 20 separate occasions, using stolen passwords to conduct a cyber espionage operation.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
Ticketmaster employees repeatedly used stolen login credentials to access the competitor's computer system to collect business intelligence from 2013 to 2015, says Acting U.S. Attorney Seth DuCharme for the Eastern District of New York. The deal resolves a five-count criminal indictment filed Wednesday charging Ticketmaster with computer intrusion and fraud offenses.
"Further, Ticketmaster's employees brazenly held a division-wide 'summit' at which the stolen passwords were used to access the victim company's computers as if that were an appropriate business tactic," DuCharme says.
Ticketmaster, a wholly-owned subsidiary of Live Nation Entertainment, is ordered to pay the fine to the U.S. Department of Treasury within 10 days, say court documents.
Ticketmaster terminated both Zaidi and [the co-conspirator] in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved," Ticketmaster tells ISMG.
The passwords were obtained from an unnamed co-conspirator who worked for the victim company from May 2010 to August 2012, leaving the company after signing a confidentiality agreement stating he would maintain the confidentiality of that company’s information, court documents say. The co-conspirator was hired by Live Nation in August 2013.
The criminal financial penalty was agreed to under a deferred prosecution agreement. It states that Ticketmaster must maintain a compliance and ethics program designed to stop and detect similar abuses of the Computer Fraud and Abuse Act.
The scheme began in November 2013 when, while working at Live Nation, the co-conspirator shared with Zeeshan Zaidi, the former head of Ticketmaster's Artist Services division, and another Ticketmaster executive, information regarding a draft ticketing website that was never made public by his former employer, the Justice Department says.
At this meeting the co-conspirator was told by Zaidi that Ticketmaster wished to "choke off" its competitor by stealing back an important client.
In January 2014, the co-conspirator followed up his initial revelation by sending Zaidi and the other Ticketmaster executive multiple sets of usernames and passwords for "Toolboxes" the victim company had established for three different artist management companies, the Justice Department says.
"I must stress that as this is access to a live [Victim Company] tool I would be careful in what you click on as it would be best not [to] giveaway that we are snooping around," the co-conspirator warned the Ticketmaster executives, to which Zaidi responded "awesome", court documents say.
Later the same day, the co-conspirator, Zaidi, and the other executive participated in a conference call during which the co-conspirator used the login in credentials he retained from his former employer to access and demonstrate the Toolboxes, according to court documents.
The information gleaned from the victim company was immediately used by Ticketmaster to compare its offerings to the victim company, the Justice Department says.
At the time of the incident, the victim company was based in the U.K. with its U.S. headquarters located in Brooklyn, N.Y. The company merged with another firm in 2015 that declared bankruptcy in 2016.
In May 2014 Ticketmaster held a meeting where the competitor's system was accessed by the co-conspirator and its capabilities demonstrated to 14 additional Ticketmaster employees, the court documents say.
In addition to the login credentials from his former employer, the co-conspirator also retained the URLs of several confidential ticketing web pages his former company had created that were not public. He accessed these for Ticketmaster executives multiple times between July 2014 and June 2015, obtaining additional insider information, the court documents say.
"When employees walk out of one company and into another, it's illegal for them to take proprietary information with them. Ticketmaster used the stolen information to gain an advantage over its competition, and then promoted the employees who broke the law," stated FBI Assistant Director-in-Charge William Sweeney.
Live Nation fired Zaidi in October 2017, and on October 18, 2019, he pleaded guilty in a related case to conspiring to commit computer intrusions and wire fraud based on his participation in the same scheme, the Justice Department says.
2018 Ticketmaster Data Breach
In June 2018, Ticketmaster reported a data breach that was attributed to the Magecart group of card skimmers.
The breach exposed personal details - including names, payment card numbers, expiration dates and CVV numbers - for approximately 9.4 million European Ticketmaster customers, including 1.5 million in the U.K. At least 60,000 Barclays Bank cards have been tied to known fraud, the ICO says, while Monzo Bank replaced 6,000 cards after it detected signs of fraudulent use (see: Ticketmaster Breach Traces to Embedded Chatbot Software).
Ticketmaster UK was fined $1.7 million in November for the breach Britain's privacy watchdog for its "serious failure" to comply with the EU's General Data Protection Regulation Ticketmaster Fined $1.7 Million for Data Security Failures ).