Ticketmaster has been fined $10 million for hacking a rival company.
Yes, you read that right, Ticketmaster has been fined just $10 million for using stolen passwords and URL guessing to access the confidential data of a rival. We don't know exactly which rival it is (court documents kept it confidential) but what we do know is that competitor Songkick sued Ticketmaster in 2015 before going bankrupt.
So how was Ticketmaster able and allowed to hack its rival? Why was nothing done at the time? And why was the fine so small in relation to Ticketmaster's worth?
Updated 01/07/2021 with a statement from Ticketmaster
Ticketmaster Hack Timeline
In the court settlement, Ticketmaster confessed that “a former senior employee of the victim company” provided login credentials for accounts used to manage ticket presales. The senior employee worked for the victim company (alleged to be Songkick) from May 2010 to July 2012 — before joining Ticketmaster parent company LiveNation in August 2013.
November 2013, the senior employee shared URLs for draft ticketing web pages that the victim company had built for an artist but hadn't shared with the public with Zeeshan Zaidi, former head of Ticketmaster's Artist Services division.
A Ticketmaster executive explained that the company wanted to “choke off” the victim company, as well as “steal[ing] back” one of its “signature clients.” The draft pre-sale URLs would allow Ticketmaster to “cut [victim company] off at the knees” according to the senior employee.
January 2014, the former senior employee emailed multiple sets of usernames and passwords for artist toolboxes to Zeeshan Zaidi and one other Ticketmaster executive. The information gleaned from the rival company's toolboxes would allow Ticketmaster to “benchmark” against the rival company's offerings. The artist toolbox was a password-protected app that provided real-time data about ticket sales.
“Screengrab the hell out of the system,” the former employee said at the time, before warning, “I must stress that as this is access to a live [victim company] tool I would be careful in what you click on as it would be best not [to] giveaway that we are snooping around.”
May 2014, at least 14 LiveNation and Ticketmaster employees attended an “Artist Services Summit” where the former senior employee accessed an artist toolbox using a username and password they had retained from his employment at the rival company — in front of the other employees.
The former senior employee would later provide Zaidi and other Ticketmaster executives with internal and confidential financial documents from the rival company.
January 2015, the former senior employee was transferred to Ticketmaster's Artist Services division, promoted to Director of Client Relations and given a pay rise. Ticketmaster employees would continue to access the password-protected artist toolboxes through December 2015.
Between July 2014 and June 2015, the former senior employee and other Ticketmaster employees monitored the draft ticketing web pages created by the victim company. These pages were not password-protected but couldn't be indexed by search engines — meaning that users have to know the exact unique URL to access. The victim company had intended these pages to be restricted to the artist and itself. The former senior employee had explained to Zaidi and others how the victim company's URL generation worked, which allowed Ticketmaster to access the URLs. This information was also sent to Ticketmaster executives.
In fact, around January 2015, a Ticketmaster employee created and maintained a spreadsheet listing every victim company ticketing web page that could be located, with the former senior employee's guidance. Ticketmaster would use this information to find artists and dissuade them from using the rival platform. “We're not supposed to tip anyone off that we have this view into [the victim company's] activities,” said Zaidi.
“Ticketmaster employees repeatedly — and illegally — accessed a competitor's computers without authorization using stolen passwords to unlawfully collect business intelligence,” said Acting US Attorney Seth DuCharme in a statement.
It might seem obvious now but some of these actions could have been prevented by the rival company through diligent password monitoring. Businesses relying on password-protected accounts to carry out critical functions and with many employees now working at home, it's the right time to get a password manager.
Find out more – Best Enterprise Password Managers
Why Was Nothing Done at the Time?
We can't be sure whether any Ticketmaster employees attempted to blow the whistle on these clearly illegal activities.
In fact, it seems pretty apparent from the court documents that the people involved, from Zaidi to the former senior employee, to the 14 members of staff at the Artist Services Summit, knew what they were doing was at least wrong, if not illegal.
“When employees walk out of one company and into another, it's illegal for them to take proprietary information with them. Ticketmaster used stolen information to gain an advantage over its competition, and then promoted the employees who broke the law. This investigation is a perfect example of why these laws exist – to protect consumers from being cheated in what should be a fair market place,” stated FBI Assistant Director-in-Charge Sweeney.
In a statement, Ticketmaster said:
“Ticketmaster terminated both Zaidi and Mead in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved.”
Of course, there were a number of Ticketmaster and LiveNation employees, many of them alleged to be pretty senior, who were well aware of the pair's actions as far back as 2015.
Why Was Ticketmaster's Fine so Small?
Under the terms of the deferred prosecution agreement, Ticketmaster will pay a criminal penalty of $10 million and will maintain a “compliance and ethics program designed to prevent and detect violations” of this kind from happening again.
The company will also have to report to the US Attorney's Office annually during the three-year term of the agreement regarding the compliance measures. If there's another violation, the company will be charged with one count of conspiracy to commit computer intrusions, one count of computer intrusion for commercial advantage, one count of computer intrusion in furtherance of fraud, one count of wire fraud conspiracy and one count of wire fraud.
It might seem strange to us that Ticketmaster, which was carrying out these illegal activities over multiple years has managed to get off with such a tap on the wrist.
After all, the EU and European countries regularly hands out fines to big companies in the billions and Ticketmaster reportedly earned a huge $11.5 billion in 2019.
Of course, 2020 is likely to have been a far less auspicious year for Ticketmaster with the coronavirus pandemic halting many live events and this might have affected the fine. Either way, the action will have brought little solace to the employees of the victim company who lost their jobs — partly as a result of Ticketmaster's actions.