‘Ticketmaster’ Fined $10 Million for Hacking Competitor
- Ticketmaster’s employees were logging into the systems of a competing company to collect intelligence.
- This went on for years and had serious repercussions in the business of the victimized firm.
- Ticketmaster will now have to pay a $10 million criminal penalty and maintain a compliance and ethics program for three years.
‘Ticketmaster’, the well-known California-based ticket sales and distribution company, is facing a very reputation-damaging situation right now. The U.S. Department of Justice has imposed a $10 million fine to the entertainment company for intrusions to a competitor’s computer systems with the intention to “choke off” their business. The former head of Ticketmaster’s Artist Services division, Zeeshan Zaidi, admitted the wrongdoing back in October 2019 and pleaded guilty to computer intrusion and wire fraud allegations.
According to the details that were laid out, Ticketmaster employees repeatedly hacked into a competitor’s computers by using stolen credentials. The way through which the passwords were acquired is through a former employee of the victimized entity, who later joined Ticketmaster. The intruders engaged in cyber espionage, collecting business intelligence, and gaining the market advantage through various means. The most prominent goal of the operation was to steal the victim company’s signature clients.
The co-conspirator warned the Ticketmaster agents who were accessing the other company’s systems to be careful with what they click on, as they were given access to a live system, and someone could notice that something weird is going on. So, generally, they were limited to screen-grabbing activities that wouldn’t raise any flags to the users of the accessed systems. This way, the surveillance went on and crept to draft ticketing web pages, internal proprietary systems, client information, contract details, and more.
Ticketmaster's practices are unlawful and unethical beyond all doubt, but the victimized company has failed to follow proper security practices pretty spectacularly too. The employee who shared the credentials with his new employer left the victim company in July 2012. He then joined Live Nation in August 2013, while the cyber-espionage operation started in about November 2013, almost 16 months later. After all this time, the access credentials remained the same, so the company relied on former employees abiding by the non-disclosure and separation agreements.
Considering that this went on until at least January 2015, we can assume that the victimized company didn’t reset the abused passwords even after three years had passed. It is possible that the espionage yielded more credentials, but since all systems today keep password boxes hidden, this is unlikely.
In addition to the hefty, $10 million fine, Ticketmaster will also have to maintain a compliance and ethics program now, designed specifically to detect violations of the Computer Fraud and Abuse Act. For the next three years, the company will be reporting to the U.S. Attorney’s Office annually, detailing exactly how they comply with the imposed measures.