Ticketmaster fined $10 million for hacking into rival’s systems

The Ticketmaster website in a web browser window as seen on a computer screen
(Image credit: Shutterstock)

Ticketmaster has been fined $10 million (£7.3 million) after senior staff used stolen credentials to illegally access an industry rival’s password-protected platform as part of a scheme to “choke off” the competition.

The fine has been levied by the US Department of Justice following years of legal proceedings, with Ticketmaster having been charged with several counts of computer intrusion and fraud with regards to breaching the systems of its competitor, Crowdsurge.

These charges centre on an anticompetitive scheme Ticketmaster devised after an ex-Crowdsurge employee, who moved to the firm in 2013, emailed executives URLs as well as multiple sets of usernames and passwords to access an internal tool. The intrusion, which lasted until 2015, informed a conscious strategy to “cut [Crowdsurge] off at the knees”.

“Ticketmaster employees repeatedly – and illegally – accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” said acting US attorney Seth DuCharme.

“Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers, as if that were an appropriate business tactic. Today’s resolution demonstrates that any company that obtains a competitor’s confidential information for commercial advantage, without authority or permission, should expect to be held accountable in federal court.”

While Ticketmaster sells and distributes tickets for events and concerts, Crowdsurge offers artists the ability to sell presale tickets in advance of general sales. The Artist Toolbox, which Ticketmaster illegally infiltrated, is an app that provides real-time data about tickets sold through the company.

The employee, known as coconspirator-1, emailed the former head of Ticketmaster’s Artist Services division, Zeeshan Zaidi, as well as a second executive, multiple account credentials for Toolboxes. Coconspirator-1 encouraged them to “screen-grab the hell out of the system”, with this information subsequently used to prepare a presentation for other executives intended to ‘benchmark’ Ticketmaster’s offerings against Crowdsurge’s

As part of a presentation company summit in May 2014, coconspirator-1 used multiple usernames and passwords he had retained from his employment to log-into Toolbox. He also provided executives with confidential financial documents.

This led to a promotion and pay rise, with the former Crowdsurge employee then emailing a colleague to say “now we can really start to bring down the hammer” on the victim company. Ticketmaster employees continued to access the password-protected platform until December 2015, according to the US Department of Justice.

It’s illegal for employees to take certain information with them when they move from one workplace to another, and in the UK constitutes a violation of the Computer Misuse Act (CMA). Various historic studies have illustrated how much of a threat this practice is to businesses, with one study in 2016 suggesting a third of ex-workers break the CMA in this way.

“Ticketmaster terminated both Zaidi and Mead in 2017," a spokesperson told IT Pro, "after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved.”

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.