Ticketmaster has agreed to pay a fine of $10m after “repeatedly” accessing the computer system of a rival company.
The ticket company admitted that an employee who previously worked for a rival company used “stolen” login credentials to access computer systems related to presale ticket sales between August 2013 and December 2015.
This was done in order to “choke off [Victim Company]” and “steal back one of [Victim Company]’s signature clients”, according to the deferred prosecution agreement filed by the US Attorney’s Office for the Eastern District of New York.
Despite signing a separation agreement, the employee shared URLs for the rival’s unpublished ticketing webpages with Ticketmaster employees. They also shared usernames and passwords for the rival company’s “Toolbox” app, a tool that allowed artists to monitor their ticket sales.
According to the US Department of Justice, the employee and others monitored the rival’s draft ticketing web pages in order to “identify the victim company’s clients and attempt to dissuade them from selling tickets through the victim company”.
According to the agreement, some of this information was shared with at least 14 other Ticketmaster and Live Nation employees during an “Artist Services Summit”, using a username and password to gain access to log in to a Toolbox during the summit.
The employee also provided executives with internal and confidential financial documents.
Although the rival company was not revealed in the agreement, Variety reported that it was ticketing software company Songkick. The company shut down in 2017 due to bankruptcy.
On October 18, 2019, former head of Ticketmaster’s Artist Services division Zeeshan Zaidi pled guilty in a related case to conspiring to commit computer intrusions and wire fraud.
“Ticketmaster employees repeatedly – and illegally – accessed a competitor’s computers without authorisation using stolen passwords to unlawfully collect business intelligence,” stated Acting US Attorney Seth DuCharme.
“Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers, as if that were an appropriate business tactic. Today’s resolution demonstrates that any company that obtains a competitor’s confidential information for commercial advantage, without authority or permission, should expect to be held accountable in federal court.”
As well as the fine for computer intrusion and fraud offences, Ticketmaster, which is a subsidiary of Live Nation Entertainment, has also agreed to follow a “compliance and ethics program designed to prevent and detect violations”.
Ticketmaster will also report to the United States Attorney’s Office annually during the three-year term of the agreement.
In a statement, Ticketmaster said:
“Ticketmaster terminated both Zaidi and Mead in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved.”
Jake Moore, cybersecurity specialist at ESET said:
“This is an extremely rare outcome to what was a rather interesting situation. Ticketmaster has honourably paid a fine as they were ultimately responsible for what their staff carried out, even though they would have struggled to completely mitigate this from occurring. Spotting bad actors from within an organisation takes much more than machine learning and algorithms. The problems are increased with the rise in home working too, where staff are not shadowed by other employees whilst in work hours. This makes for an even more inviting breeding ground for employees to go rogue.
“It is vital that there are procedures in place to watch for data misuse, but it takes the efforts of everyone in a company to help spot any discrepancies that might lead to a loss of intellectual or private data.”