Live Nation Hit With Class Action Lawsuit Over Massive Ticketmaster Data Breach
In April, the hacker group ShinyHunters accessed Ticketmaster’s database. It harvested the full names, addresses, emails, phone numbers and credit card information on up to 560 million customers. The Live Nation-owned company took nearly two months to discover the breach and four months to notify impacted users.
Now, Ticketmaster is facing a proposed class action accusing it of failing to adopt adequate security measures to prevent against hacks, alert users that their personal data was compromised and ensure that a cloud computing vendor implemented sufficient data security practices. The lawsuit, filed on Friday in California federal court, alleges negligence and seeks unspecified damages of at least $5 million on behalf of millions of users.
More from The Hollywood Reporter
The Ticketmaster hack was the latest in a string of cyberattacks this year targeting media and telecom companies, including Disney, Roku and AT&T. ShinyHunters, the group that claimed responsibility for the breach, demanded a ransom of $500,000 to keep the data from being resold on the dark web.
The lawsuit claims that the hack was a consequence of Ticketmaster neglecting to implement proper data protection procedures, including “vendor management necessary to protect” consumers’ personally identifiable information amid a rising wave of high-profile breaches.
The hacks, along with AT&T’s, was connected to a third-party server hosted by the cloud computing company Snowflake. Users fault Ticketmaster for failing to ensure that Snowflake, which wasn’t named in the complaint, adhered to reasonable security measures. They call cyber attacks a “known risk” and that “failing to take steps necessary to secure [user information] from those risks left the data in a dangerous condition.”
Ticketmaster should’ve have required Snowflake to impose heightened measures to protect personal data, cooperate with security audits and timely notify users impacted by a hack, according to the complaint.
Users also fault Ticketmaster for retaining personal information it should’ve deleted. They claim that one arm of the company’s business involves selling data on users — including when a customer buys merchandise or a ticket to an event, names, physical addresses, phone numbers, emails, IP addresses, information about certain transactions and preferences — to business partners and data brokers.
The lawsuit alleges that consumers are harmed by increased risks of identify theft, fraud and spam. Since 2020, ShinyHunters have stolen over 900 million customer records in hacks of AT&T, GitHub and Pizza Hut, among other companies. With the wide swath of data available to the group, it can create so-called “Fullz” packages, which cross-references multiple sources of personal data to assemble complete dossiers on individuals, the lawsuit claims. Even without certain information, like a social security number, these packages can be used to fraudulently obtain fake driver’s licenses and loans.
And the value of this data is increasing because of new technologies that facilitate avenues for fraud. Cybercriminals are leveraging stolen information to devise increasingly complicated schemes featuring deepfake technology and AI-powered password cracking.
Users “now face years of constant surveillance of their financial and personal records,” the complaint states. In addition to negligence,users bring claims for unjust enrichment and breach of implied contract.
Some categories of sensitive personally information can sell for as much as roughly $360 per record, according to the cybersecurity training company InfoSec Institute.
Ticketmaster didn’t immediately respond to a request for comment. The April hack preceded by the Justice Department filing an antitrust lawsuit against the company.
Best of The Hollywood Reporter
Sign up for THR's Newsletter. For the latest news, follow us on Facebook, Twitter, and Instagram.