Ticketmaster Fined $10 Million for Hacking Rival’s Systems

Ticketmaster app

Live Nation’s Ticketmaster has agreed to pay a $10 million fine to avoid prosecution on criminal charges. Ticketmaster faced US criminal charges for hacking into startup rival Songkick’s computer systems to conduct what amounts to corporate espionage. Its motivation for hacking the startup was to “choke off” Songkick and “steal back” a key client.

The Prosecution Agreement and Charges

Last Wednesday, Ticketmaster and its parent company Live Nation, entered into a 3-year deferred prosecution agreement in Brooklyn’s federal court. The agreement resolves five criminal counts including wire fraud, conspiracy and computer intrusion. The Beverly Hills, California-based Ticketing giant, Ticketmaster, mainly sells and distributes tickets to concerts and other events.

Under the agreement, Ticketmaster is required to pay a $10 million penalty. As well as the fine, Ticketmaster must maintain compliance and ethics procedures designed to detect and prevent digital theft. Furthermore, Ticketmaster needs to report to the US Attorney’s Office annually during the 3-year term regarding the compliance measures it has put in place.

According to a statement from the Department of Justice’s (DoJ) U.S. Attorney’s Office, if Ticketmaster breaches the agreement “it will be subject to prosecution for the charges in the criminal information that was filed today, charging the Company with one count of conspiracy to commit computer intrusions, one count of computer intrusion for commercial advantage, one count of computer intrusion in furtherance of fraud, one count of wire fraud conspiracy and one count of wire fraud.”

Ticketmaster’s Motivation for the Hack: “Choke Off” the Rival Startup

Ticketmaster was first accused four years ago for illegally accessing Songkick’s computer systems. The now defunct Songkick was owned by Warner Music Group and specialized in artist presales. Songkick merged with CrowdSurge in 2015 and it was agreed that the merged companies would trade under the Songkick brand.

Songkick was putting in place an online system that allowed artists to sell tickets to their concerts directly to fans. These tickets were to be sold in advance of general ticket sales through Ticketmaster. The system was being developed as a means to reward loyal fans and to foil scalpers.

However, the system would also have cut into Ticketmaster’s profits. Apparently up to 10% of tickets were being set aside by artists for sale through Songkick’s system, once completed. In response, Ticketmaster employees hacked into CrowdSurge’s computer systems to steal confidential business information.

According to court documents, Ticketmaster created a spreadsheet containing the URLs of every Songkick’s draft artist ticketing page found. This allowed Ticketmaster to identify all artists who planned to use Songkick’s service and “dissuade” them from doing so. As described in DoJ’s statement, according to a Ticketmaster executive, the goal was to “choke off” Songkick and to “steal back one of [victim company]’s signature clients.” If it could win back two major clients, it could “cut [victim company] off at the knees.”

How Was Ticketmaster’s Hack Carried Out?

Live Nation recruited a former CrowdSurge employee, Stephen Mead, in 2012 to turn on his former employer. Mead then allegedly shared CrowdSurge’s systems login information with Ticketmaster employees, including Ticketmaster’s former head of Artist Services Zeeshan Zaidi.

Mead was a senior employee at CrowdSurge and thus had extensive knowledge of his former employers’ computer systems’ credentials. As CrowdSurge merged with Songkick, however, Ticketmaster apparently lost access to the systems.

The hack was first reported in 2017, when Songkick filed an antitrust lawsuit against Live Nation and Ticketmaster. As well as revealing CrowdSurge’s system credentials, in 2014 Mead allegedly logged into his former employer’s systems during a Live Nation summit. He then provided the Live Nation executives a review of CrowdSurge’s operations. He also conducted a demonstration of CrowdSurge’s internal products and systems.

Acting US Attorney DuCharme said in the DoJ statement “Ticketmaster employees repeatedly – and illegally – accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence.” He went on to say “Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers, as if that were an appropriate business tactic.”

Repercussions

As a result of investigations into the offences, Ticketmaster terminated both Mead and Zaidi in October 2017. A Ticketmaster spokesperson told The Verge “Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved.”

Nonetheless, the $10 million settlement paid to avoid prosecution is unlikely to make much of a dent in Ticketmaster’s profits. Live Nation brought in $11.5 billion in revenue in 2019. However, the fine will hurt Ticketmaster a little more this year as opposed to previous years. This is due to Covid-19 having destroyed their ticket sales in 2020.

Songkick, on the other hand, closed operations in October 2017 after declaring itself bankrupt. This is despite it reaching a $110 million settlement in January 2018 with Live Nation to resolve the antitrust lawsuit. Under the lawsuit’s settlement, Live Nation agreed to acquire Songkick’s technology assets and patents.

As for Zaidi, he pleaded guilty in October 2019 to conspiring to commit computer intrusions and wire fraud. He is yet to be sentenced. Zaidi is a US Canadian citizen with degrees from Harvard Law School and Harvard Business School.

Information technology expert
Grace is an information technology expert who joined the VPNoverview team in 2019, writing cybersecurity and internet privacy-based news articles. Due to her IT background in legal firms, these subjects have always been of great interest to her.