Ticketmaster to Pay $10 Million for Cyber Intrusions Against Rival
In a significant development in cybersecurity and corporate ethics, Ticketmaster has agreed to pay a $10 million fine after it was charged with unauthorized access to the computer systems of a competitor, CrowdSurge, between 2013 and 2015. This incident involved the illegal use of credentials to gain sensitive business intelligence in what has been described as an effort to undermine a rival’s operations in the ticket sales market.
CrowdSurge, which merged with Songkick in 2015 and was later acquired by Warner Music Group in 2017, was the target of Ticketmaster’s corporate espionage. Acting U.S. Attorney Seth DuCharme stated that Ticketmaster employees repeatedly and unlawfully accessed CrowdSurge’s operations using stolen passwords. This blatant misconduct involved activities such as gathering confidential business plans, contracts, and client lists, violating both legal and ethical standards.
The scheme was orchestrated through the employment of Stephen Mead, CrowdSurge’s former U.S. operations manager, who facilitated the breach by sharing passwords to proprietary tools, including the Artist Toolbox application, which provided real-time sales data. Such actions illustrate the use of initial access tactics common in cyber intrusions, where adversaries exploit software vulnerabilities or human trust to infiltrate systems.
Additionally, Mead is accused of providing internal financial documents and other sensitive information to Ticketmaster personnel, further jeopardizing CrowdSurge’s competitive position. Notably, Zaidi, formerly head of Ticketmaster’s artist services, has pled guilty to related charges of conspiracy to commit computer intrusions and wire fraud, acknowledging the intent to keep their surveillance of CrowdSurge’s activities undetected.
Internal communications from Ticketmaster revealed a calculated strategy to “choke off” potential clients of CrowdSurge, particularly targeting key artists engaged in presale ticketing. These tactics reflect a clear understanding of competitive market dynamics at play, highlighting how cybersecurity breaches are not merely technical failures but strategic decisions made at corporate levels.
The implications of this case extend beyond the financial penalties. As part of the settlement, Ticketmaster is required to maintain a compliance and ethics program to prevent future unauthorized access and to provide annual reports to the U.S. Attorney’s Office over the next three years. This reflects an increasing emphasis in corporate governance on cybersecurity compliance and operational integrity.
Moreover, the fallout from this incident follows Ticketmaster’s previous settlement of a lawsuit brought by Songkick in 2018, wherein the company agreed to pay $110 million and acquire remaining intellectual property. The repeated legal and financial challenges signal growing scrutiny over practices within the ticketing industry, which has faced longstanding allegations of monopolistic behaviors.
The Ticketmaster case underscores the evolving landscape of cyber threats and corporate accountability in the United States. With potential MITRE ATT&CK tactics like privilege escalation and lateral movement being employed, it serves as a reminder for businesses to bolster their cybersecurity measures, ensuring they safeguard against both external threats and internal breaches.
As the industry navigates these challenges, the call for robust cybersecurity frameworks has never been more urgent. Business owners are encouraged to take proactive steps in fortifying their cyber defenses to protect themselves against similar intrusions.
