Ticketmaster hit with class action suit over massive data breach

A California law firm has filed a class action lawsuit against Ticketmaster and parent company Live Nation Entertainment on behalf of hundreds of millions of consumers caught up in a massive data breach of the live music ticketing giant, claimed by hackers earlier this week.

The suit accuses the American conglomerate of failing to “properly secure and safeguard” its customer's personally identifiable information (PII) through “adequate and reasonable cybersecurity procedures and protocols.”

Clarkson Law Firm, a public interest law firm headquartered in Malibu, filed the lawsuit on Wednesday in California’s central US district court on behalf of two plaintiffs named in the case, Cynthia Ryan and Rosalia Garcia.

“The sweeping scope of impacted consumers makes this one of the largest data breaches in history,” Ryan Clarkson, Managing Partner of Clarkson Law Firm said in a statement sent to Cybernews.

Ticketmaster class action suit
Clarkson Law Firm

The class action is also not the only legal woes facing the conglomerate. Last week, the US Department of Justice (DoJ) filed its own landmark lawsuit against the Live Nation-Ticketmaster duo for creating and operating a powerful market monopoly in violation of American antitrust laws.

Clarkson said the Ticketmaster data breach “also underscores the importance of the government’s attempt to break up the company’s monopoly.”

“When companies face no competition, they're disincentivized to deliver the best product or service – in this case, by failing to protect highly sensitive data in its possession that is now for sale on the dark web. Consumers are rightfully outraged,” Clarkson said.

The class action lawsuit

The lawsuit, demanding a trial by jury, states that Ticketmaster not only failed to prevent unauthorized access to customer data but also failed to follow required protocols regarding the encryption of that data.

Lawyers claim that Ticketmaster’s negligence, breach of fiduciary duty and implied contract, and violation of California’s Consumer Privacy Act (among other charges) caused the plaintiffs to suffer ascertainable losses, out-of-pocket expenses, lost time, emotional distress, and face “imminent risk of future harm” due to the exposure of their private information.

The class action states that had Live Nation-Ticketmaster “properly monitored” their computer networks, the companies “would have discovered the intrusion sooner or prevented it altogether.”

Also worth noting is that the DoJ lawsuit also mentions Ticketmaster's history of cybersecurity incidents and breaches, which further highlights “the inherent risk associated with industry consolidation,” said Nick Tausek, Lead Security Automation Architect at Swimlane.

“In this current era of frenzied corporate acquisitions, it is important to not only view monopolies as dangerous to consumers' wallets, but also dangerous from a cybersecurity. perspective…vulnerabilities to data breaches are heightened, amplifying the need for proactive security measures and response protocols,” Tausek said.

“Hopefully, this increased cyber risk will be taken into account in anti-monopoly actions taken by various governments around the world,” he said.

Cybernews has reached out to Ticketmaster, which has not made any public statement regarding the breach or the class action lawsuit.

Behind the Ticketmaster breach

On Wednesday, the threat group known as Shiny Hunters posted a large swath of the purported stolen data on a reboot of the hacker marketplace BreachForums. Screenshots provided in the post show a 1.3TB data set of 15 file folders.

After being examined by several security researchers, including by our own research team here at Cybernews, the consensus concludes that the compromised data of 560 million Ticketmaster customers appears to be legitimate.

Sensitive information is said to include “full names, addresses, email addresses, phone numbers, ticket sales and event details, order information, and partial payment card data,” which includes “the last four digits of card numbers, expiration dates, and even customer fraud details,” the lawsuit stated.

“While the absence of full credit card numbers in the stolen data offers some relief, the data published on the BreachForums website will likely be sold to cybercriminals who will use it to conduct targeted phishing scams against the individuals in the database,” said Sally Vincent, Senior Threat Research Engineer at LogRhythm.

According to the malware repository vx-underground – which posted an update about the alleged breach on X Thursday – the set contains information dating back to 2011 and possibly earlier.

When scammers have access to personal information, they can and often use that data to create “highly convincing” targeted attacks, Vincent said, adding that “users should be cautious of unsolicited communications asking for further personal or financial information.”

Vx-underground also said it believes Shiny Hunters – who is trying to auction off the leaked data for $500,000 to one buyer only – is “acting as a proxy” for the real threat actors behind the breach.

ShinyHunters profile BreachForums
ShinyHunters profile on BreachForums in 2023.

ShinyHunters backstory

The ShinyHunters gang relaunched the BreachForums site last spring after its founder Pompompurin was busted by the cops in New York.

The FBI arrest of the now 22-year-old former Breached chief Connor Brian Fitzpatrick created a sensational plot line that has played out on social media and kept security insiders riveted for the past year.

In fact, the latest dance between BreachForums and the FBI took place only weeks ago, with agents seizing the site for the second time and allegedly taking its long-time administrator, known as Baphomet, into federal custody.

Days later, ShineyHunters posted a PGP-signed message stating that Baphomet’s arrest led “to the seizure of pretty much all of our infrastructure by the FBI,” but the criminal outfit still managed to resurrect the site for a 3rd time, and here we are.

ShinyHunters is known for carrying out multiple high-profile data breaches costing their victims tens of millions of dollars, including Microsoft, Mashable, and Pluto TV.

In spring 2022, the mysterious threat actors successfully breached AT&T and T-Mobile within days of each other, exfiltrating the personal data of a combined 110 million users.

Meantime, Ticketmaster was also busy making headlines in 2022 after canceling all ticket sales to the Taylor Swift Era tour due to automated bots scooping up more than 2.5 million tickets in pre-sale, leaving 3.5 million fans in the lurch.

The move angered the pop star and her fans and triggered the DoJ investigation and its following antitrust lawsuit, which was also backed by dozens of US lawmakers.

Ticketmaster, considered the largest ticketing agent in the US, is a wholly owned subsidiary that merged with Live Nation in 2010 to form Live Nation Entertainment.

With more than 265 concert venues in North America under its control, including more than 60 of the top 100 amphitheaters in the US, the conglomerate is considered the “largest live entertainment company in the world.”