Ticketmaster fined $10 million after hack of business rival

“Screen-grab the hell out of the system”

Ticketmaster fined $10 million after hack of business rival

The US Department of Justice has announced that Ticketmaster has been fined $10 million for repeatedly accessing a competitor’s computer systems.

A former employee of ticketing company CrowdSurge, a firm that provided services for running and managing ticket sales on behalf of artists, lies at the centre of the case.

Although not named by the Department of Justice in its legal documents about the case, the media has named the man as Stephen Mead.

In 2012 Mead left CrowdSurge, signing a separation agreement worth $52,970 that he would not disclose or retain confidential information from Crowdsurge such as client lists, passwords, marketing strategies, and financial information.

Mead subsequently joined Ticketmaster, where he is said to have shared sensitive information including usernames and passwords with his new colleagues that allowed them to unlawfully access business information including data on purchases of presale tickets through his former employer.

According to the Department of Justice, the former CrowdSurge employee told his fellow workers to:

“screen-grab the hell out of the system”

but also warned:

“I must stress that as this is access to a live [victim company] tool I would be careful in what you click on as it would be best not [to] giveaway that we are snooping around.”

Astonishingly, on one occasion, at an Artist Services Summit in San Francisco, a password-protected area of Crowdsurge’s systems was brazenly logged into using credentials stolen from the company, in front of at least 14 Ticketmaster employees to demonstrate the competitor’s features.

Internal and confidential financial documents the man had retained during his employment at CrowdSurge were also shared with Ticketmaster executives.

Sign up to our free newsletter.
Security news, advice, and tips.

Crowdsurge went on to merge with concert ticket firm Songkick in 2015.

In 2018, Live Nation – the parent company of Ticketmaster – agreed to acquire Songkick’s parent company as part of a $110 million settlement to resolve a lawsuit.

Zeeshan Zaidi, Ticketmaster’s former head of Artist Services and Stephen Mead’s boss, pleaded guilty in October 2019 to wire fraud and conspiring to commit computer intrusions.

Both Zaidi and Mead had their employment terminated in 2017 after their conduct came to, says Ticketmaster:

“Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved.”

Never forget that your may have employees privileged access to knowledge about how your company works, and the means to access your data. Don’t just get them to sign an agreement that they’ll maintain confidentiality after they leave your employment, ensure that passwords are also changed so they won’t be tempted to break the law.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.