Fresh details are emerging about the scope and impact of the recent Ticketmaster data breach in an official filing with the Attorney General’s office in the US state of Maine obtained by CMU. The filing includes various details of the breach, as well as a copy of a customer notification letter that Ticketmaster will use to inform customers in the state that their data has been compromised.
In the letter, the Live Nation owned Ticketmaster says that it is writing to customers “to notify you of a data security incident that may have involved your personal information”.
Details in the Maine filing include that the breach, classified as an “external system breach (hacking)”, occurred between 2 Apr and 18 May 2024, and that Ticketmaster discovered the unauthorised access on 23 May 2024.
The company has confirmed that it will begin notifying customers in Maine on 8 Jul - a delay of more than six weeks. This delay, the letter says, “is not due to law enforcement investigations”, but Ticketmaster is keen for customers to know that it has “been diligently investigating the incident with the assistance of outside experts”, and is “cooperating with federal law enforcement authorities”.
While Ticketmaster has not publicly confirmed the scale of the breach, ShinyHunters, the hacking group which claimed responsibility, said that it had obtained personal data relating to hundreds of millions of the company’s customers.
The group alleges that the 1.3TB of data they stole included the names, addresses, email addresses, phone numbers, order information, and partial payment card details relating to more than 560 million people. The paperwork filed with the Maine Attorney General’s office indicates that the number of residents in the state affected is “greater than 1000” - apparently the largest input on the filing scale.
In its letter, Ticketmaster says that as a response to the breach it will offer affected customers twelve months of free identity monitoring services through TransUnion, which will “look out for your personal data on the dark web”. The company says that it has also implemented several security measures, including rotating passwords for accounts associated with the affected database, reviewing access permissions, and enhancing alerting mechanisms.
The letter advises customers to remain vigilant against potential identity theft and fraud, to monitor their accounts and credit reports, and be cautious of phishing attempts. Ticketmaster emphasises that customer accounts were not directly affected by this incident, but users should be mindful of any suspicious activity.
This new information contrasts with Live Nation’s recent SEC filing, which stated that the company does not believe the incident is “reasonably likely to have a material impact on our overall business operations or on our financial condition or results of operations”. Given the potential scale of the breach and the comprehensive identity protection measures now being offered, this assessment may prove optimistic.
The breach is already facing legal scrutiny, with a class-action lawsuit filed by two Ticketmaster customers. The lawsuit criticises Live Nation’s initial failure to promptly disclose the breach, highlighting the gap between the discovery of the breach and customer notifications.
As investigations continue, the full impact of this breach on Ticketmaster, its customers, and the broader implications for data security in the entertainment industry remain to be seen. This incident adds to the mounting pressures on Live Nation, which is already facing scrutiny over allegations of anticompetitive conduct in the US.