[BreachExchange] Ticketmaster Coughs Up $10 Million Fine After Hacking Rival Business

Wed Jan 6 11:10:35 EST 2021

https://threatpost.com/ticketmaster-10-million-fine-hacking-rival/162695/

Several Ticketmaster executives conspired a hack against a rival
concert presales firm, in attempt to ‘choke off’ its business.

Ticketmaster must pay a hefty $10 million fine after several employees
utilized unlawfully obtained passwords to hack a rival company’s
computer systems – in attempts to “choke off” its business.

The American ticket sales and distribution giant, which is owned by
Live Nation, in 2013 hired an employee who formerly worked for
Ticketmaster’s rival company (reported by some outlets to be Songkick,
a now-defunct company that offered concert pre-sale tickets),
according to the Department of Justice (DoJ) last week.

This co-conspirator illegally retained credentials from the rival
firm, which he and other Ticketmaster executives then used to hack
into the victim company’s systems. From there, they were able to
monitor the company’s draft ticketing web pages, allowing them to find
out which artists planned to use the rival company to sell tickets.
They were also able to hack into and snoop on the company’s Artist
Toolbox, a password-protected app that provides real-time data about
ticket sales.

“When employees walk out of one company and into another, it’s illegal
for them to take proprietary information with them,” said FBI
Assistant Director-in-Charge Sweeney in a statement. “Ticketmaster
used stolen information to gain an advantage over its competition, and
then promoted the employees who broke the law. This investigation is a
perfect example of why these laws exist — to protect consumers from
being cheated in what should be a fair market place.”

The Hack

According to court documents, the former senior employee (who as of
now remains unnamed) of the victim company worked there between May
2010 to July 2012. In 2012, he signed a separation agreement with the
victim company upon leaving, in which he agreed to maintain the
confidentiality of that company’s sensitive data, before joining Live
Nation in August 2013.

In 2013, this former employee shared with former Ticketmaster head of
the Artist Services division Zeeshan Zaidi the URLs for draft
ticketing web pages of the victim company, which were not public.

“In response to a Ticketmaster executive explaining that the goal was
to ‘choke off [victim company]’ and ‘steal back one of [the victim
company]’s signature clients,’ co-conspirator 1 offered that
Ticketmaster could ‘cut [victim company] off at the knees’ if they
could win back presale ticketing business for a second major artist
that was a client of the victim company,” according to the DoJ.

Then, the former employee sent Zaidi and another Ticketmaster
executive multiple sets of usernames and passwords for the victim
company’s password-protected Artist Toolbox app, and encouraged them
to “screen-grab the hell out of the system.” The co-conspirators even
went so far as to use the passwords to access the app in a live demo
at a Ticketmaster internal summit, in front of at least 14 other
Ticketmaster and Live Nation employees, according to the DoJ.

The former employee in 2015 was promoted and given a raise; meanwhile,
Ticketmaster employees continued to access the Artist Toolbox app
through December 2015.

Next Steps

In 2015, the victim company filed a civil complaint against Live
Nation and Ticketmaster alleging antitrust violations. That lawsuit
was amended in 2017 to add allegations that Ticketmaster had accessed
the company’s computer systems without authorization. In 2017, both
the former employee and Zaidu were then terminated by Ticketmaster.

Last week’s fine against Ticketmaster resolves charges that the
company “repeatedly accessed without authorization the competitor’s
computer systems.” The fine is part of a deferred prosecution
agreement that Ticketmaster entered with the U.S. Attorney’s Office
for the Eastern District of New York to resolve a five-count criminal
complaint filed today charging computer intrusion and fraud offenses.
As part of the charges, on Oct. 18, 2019, Zaidi pled guilty in a
related case to conspiring to commit computer intrusions and wire
fraud based on his participation in this scheme.

This is also not the first time Ticketmaster has found itself up
against a hefty fine for cybersecurity-related issues. In November,
Ticketmaster’s U.K. division was slapped with a $1.65 million fine by
the Information Commissioner’s Office (ICO) in the UK, over its 2018
data breach that impacted 9.4 million customers.

The incident points to employee insider threats facing many companies
– an issue that is particularly worrying today as many may feel
stressed or disillusioned by their workplace during today’s shaky,
COVID-19-disrupted economy. One specific concern for companies
reflected by this particular case is illegal employee data retention
after leaving a firm. For instance, last year a former Cisco employee
was sentenced to two years in jail after he hacked into Cisco’s Webex
collaboration platform – after leaving the firm.

A Ticketmaster spokesperson told Threatpost, “Ticketmaster terminated
both Zaidi and Mead in 2017, after their conduct came to light. Their
actions violated our corporate policies and were inconsistent with our
values. We are pleased that this matter is now resolved.”