Ticketmaster fined $10 million for hacking into rival’s systems

Ticketmaster has been fined $10 million (£7.3 million) after senior staff used stolen credentials to illegally access an industry rival’s password-protected platform as part of a scheme to “choke off” the competition.

The fine has been levied by the US Department of Justice following years of legal proceedings, with Ticketmaster having been charged with several counts of computer intrusion and fraud with regards to breaching the systems of its competitor, Crowdsurge.

These charges centre on an anticompetitive scheme Ticketmaster devised after an ex-Crowdsurge employee, who moved to the firm in 2013, emailed executives URLs as well as multiple sets of usernames and passwords to access an internal tool. The intrusion, which lasted until 2015, informed a conscious strategy to “cut [Crowdsurge] off at the knees”.

“Ticketmaster employees repeatedly – and illegally – accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” said acting US attorney Seth DuCharme.

“Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers, as if that were an appropriate business tactic. Today’s resolution demonstrates that any company that obtains a competitor’s confidential information for commercial advantage, without authority or permission, should expect to be held accountable in federal court.”

While Ticketmaster sells and distributes tickets for events and concerts, Crowdsurge offers artists the ability to sell presale tickets in advance of general sales. The Artist Toolbox, which Ticketmaster illegally infiltrated, is an app that provides real-time data about tickets sold through the company.

The employee, known as coconspirator-1, emailed the former head of Ticketmaster’s Artist Services division, Zeeshan Zaidi, as well as a second executive, multiple account credentials for Toolboxes. Coconspirator-1 encouraged them to “screen-grab the hell out of the system”, with this information subsequently used to prepare a presentation for other executives intended to ‘benchmark’ Ticketmaster’s offerings against Crowdsurge’s

As part of a presentation company summit in May 2014, coconspirator-1 used multiple usernames and passwords he had retained from his employment to log-into Toolbox. He also provided executives with confidential financial documents.

This led to a promotion and pay rise, with the former Crowdsurge employee then emailing a colleague to say “now we can really start to bring down the hammer” on the victim company. Ticketmaster employees continued to access the password-protected platform until December 2015, according to the US Department of Justice.

It’s illegal for employees to take certain information with them when they move from one workplace to another, and in the UK constitutes a violation of the Computer Misuse Act (CMA). Various historic studies have illustrated how much of a threat this practice is to businesses, with one study in 2016 suggesting a third of ex-workers break the CMA in this way.

“Ticketmaster terminated both Zaidi and Mead in 2017," a spokesperson told IT Pro, "after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved.”