Ticketmaster sued for data breach

In April, the hacker group ShinyHunters accessed Ticketmaster’s database. It collected the full names, addresses, email addresses, phone numbers and credit card information of up to 560 million customers. It took the Live Nation-owned company nearly two months to discover the breach and four months to notify affected users.

Now Ticketmaster is facing a proposed class action lawsuit that accuses the company of failing to take adequate security measures to protect against hacks, failing to alert users that their personal information has been compromised, and ensuring that a Cloud computing provider has not implemented adequate data security practices. The lawsuit, filed Friday in California federal court, alleges negligence and seeks unspecified damages of at least $5 million on behalf of millions of users.

The Ticketmaster hack was the latest in a series of cyberattacks this year targeting media and telecommunications companies such as Disney, Roku and AT&T. ShinyHunters, the group that claimed responsibility for the breach, demanded a $500,000 ransom to prevent the data from being resold on the dark web.

The lawsuit alleges that the hack was a result of Ticketmaster’s failure to implement appropriate data protection procedures, including “vendor management necessary to protect consumers’ personal information,” amid a growing wave of high-profile breaches.

The hacks, along with AT&T’s, were linked to a third-party server hosted by cloud computing company Snowflake. Users accuse Ticketmaster of failing to ensure that Snowflake, which was not named in the complaint, followed appropriate security measures. They call cyber attacks a “known risk” and a “failure to take necessary security measures.” [user information] Because of these risks, the data was in a dangerous state.”

According to the complaint, Ticketmaster should have required Snowflake to take stricter measures to protect personal information, cooperate with security reviews and provide timely notification to users affected by a hack.

Users also accuse Ticketmaster of storing personal data that it should have deleted. They claim that part of the company’s business is to collect data about users – including a customer’s purchase of goods or a ticket to an event, names, physical addresses, telephone numbers, email addresses, IP addresses, information about specific transactions and preferences – to sell to companies partners and data brokers.

The lawsuit alleges that consumers are being harmed by an increased risk of identity theft, fraud and spam. Since 2020, ShinyHunters have stolen over 900 million customer data in hacks from AT&T, GitHub and Pizza Hut, among others. With the broad amount of data available to the group, it can create so-called “fullz” packages that link multiple sources of personal data to compile complete dossiers on individuals, the lawsuit says. Even without certain information, such as a Social Security number, these packages can be used to fraudulently obtain fake driver’s licenses and loans.

And the value of this data is increasing due to new technologies that open up opportunities for fraud. Cybercriminals are using stolen information to develop increasingly sophisticated schemes using deepfake technology and AI-powered password cracking.

The complaint states that users “are now subject to years of constant surveillance of their financial and personal information.” In addition to negligence, users can also assert claims for unjust enrichment and breach of contract.

According to cybersecurity training company InfoSec Institute, some categories of sensitive personal data can be sold for up to $360 per record.

Ticketmaster did not immediately respond to a request for comment. The April hacker attack followed an antitrust lawsuit filed by the Justice Department against the company.