author photo
By SecureWorld News Team
Mon | Jan 4, 2021 | 12:40 PM PST

What's that saying in business? "If you can't beat 'em... hack 'em."

Newly released court documents show some Ticketmaster executives and employees did exactly that.

What did they want? Access to a competitor's data and analytics relating to concert ticket pre-sales.

Ticketmaster executives and employees emailed each other about the benefits of these hacks. They could do the following things against a ticketing competitor named CrowdSurge:

"...choke off CrowdSurge"

"Steal back one of CrowdSurge's signature clients"

"...cut CrowdSurge off at the knees"

In an effort to defer prosecution against the company and its officers, Ticketmaster admits to the details of what happened, which we'll share in a minute. 

Ticketmaster agreed to pay $10 million in fines and face corporate compliance oversight for three years. 

How did the Ticketmaster hacking scheme get started?

If you or your kids have ever been in a performing artist's fan club, you may have gotten a shot at "pre-sale" tickets. Many of these pre-sales are operated invisibly, behind the scenes, by Ticketmaster.

But it wasn't always this way.

Between 2013 and 2015, a U.K. company named CrowdSurge was successfully offering this service for some big name artists, and Ticketmaster wanted to break into this line of business.

Around this time, a key employee of CrowdSurge, the victim company, left and signed a fairly typical non-compete promising to keep confidential things confidential, even after he was allowed to work for a competitor again, after a period of time.

When his non-compete ran out, he got a job at Ticketmaster. His offer letter insisted that he must continue to keep his proprietary information from CrowdSurge confidential during his employment at Ticketmaster.

But court documents says Ticketmaster execs could not wait to mine his secrets. And they did not wait:

"Just weeks after Coconspirator-1 started working... TICKETMASTER executives began soliciting information from Coconspirator-1 regarding the Victim Company."

And soliciting, as we're about to see, led to "computer intrusion" or hacking.

"Ticketmaster employees repeatedly—and illegally—accessed a competitor's computers without authorization using stolen passwords to unlawfully collect business intelligence," says Acting U.S. Attorney Seth DuCharme.

Ticketmaster admits to 'computer intrusion' against competitor

As a side note here, when you leave your employer, they should shut off your access to everything. However, there was some sort of problem with the identity and access management (IAM) controls at CrowdSurge, allowing the former employee continued access to the valuable tools he helped created there.

And court documents say that with the encouragement of Ticketmaster executives, he certainly used that access. 

"...employees of the Company [Ticketmaster] engaged in at least 20 discrete instances of unauthorized access of a protected computer in violation of the CFAA."

And on at least one occasion, that illegal access happened on the big screen during a team summit. From the court documents:

"At least 14 Live Nation and TICKETMASTER employees were in
attendance at the Artist Services Summit on or about May 14, 2014.

Coconspirator-1 used a username and password he had retained from his employment at the Victim Company to log in to a Victim Company Toolbox, without authorization, from a Live Nation computer. [Note: Live Nation is Ticketmaster's parent company.]

Coconspirator-1 provided a demonstration of the Toolbox application and the data that the Victim Company made available to its clients.

Coconspirator-1 projected his presentation onto a large screen in a conference room for the benefit of the participants of the meeting.

Log data obtained from the Victim Company indicates that on or about May 14, 2014, between 10:43 a.m. and 11:14 a.m. Pacific Time, the approximate time of Coconspirator1's presentation, an individual or individuals logged into a Victim Company Toolbox for a specific
artist management company from an IP address registered to a subsidiary of Live Nation based in San Francisco, California."

That's right, more than a dozen Ticketmaster employees watched a live hack of the competitor's "Toolbox" to see what was inside.

And according to prosecutors, that was just the first of many live demos and conference calls built around secret access to a competitor's data.

And what was it that Ticketmaster learned through these intrusions, so it could "..cut CrowdSurge off at the knees" as employee emails had mentioned?

Court documents say it was about getting the competitor's data and analytics.

"The Victim Company offered artists the ability to sell presale tickets off of TICKETMASTER's platform by operating or helping the artist to operate an online ticketing platform. As part of its services to its artist clients, the Victim Company offered a data analytics package for ticketing known as an Artist Toolbox (the 'Toolbox').

The Toolbox was a web-based software application that provided the artists or the artist's manager real-time data about ticket sales effected through the Victim Company. Among other things, the Toolbox provided information about where tickets were being purchased, the number of tickets sold at each venue, information about tickets sold on particular dates, and email addresses collected from ticket purchasers that could then be added to artists' mailing lists."

And those involved in the scheme appear to have known they were in the wrong, because they worried about getting caught.

"Coconspirator-1 encouraged the two TICKETMASTER executives to 'screen-grab the hell out of the system,' and warned them that Coconspirator-1 and TICKETMASTER were not authorized to access the Victim Company Toolboxes:

'I must stress that as this is access to a live [Victim Company] tool. I would be careful in what you click on as it would be best not [to]
giveaway that we are snooping around.'"

And they were sharing files with all kinds of relevant analytics.

"In addition, Coconspirator-1 attached two Victim Company-related Excel spreadsheets: (1) a 'booking fee calculator' that gave 'the full breakdown of the fees [the Victim Company] appl[ies] to the... normal ticket prices'; and (2) an 'Account Management Tool' that
'was used for every new artist tour' to 'provide the biz-dev and client services guys an idea of the profitability of the tour.'"

With so much competitor data in the hands of a ticketing juggernaut, does the competition even stand a chance? Apparently not.

In 2018, Live Nation, Ticketmaster, and CrowdSurge settled a lawsuit concerning this case, and Live Nation [Ticketmaster's parent] acquired CrowdSurge's remaining technology assets, including its ticketing commerce platform, patent portfolio, and other assets.

But the investigation into the case was ongoing. Now, the U.S. Department of Justice says that Ticketmaster violated U.S. laws, including the Computer Fraud and Abuse Act (CFAA).

Ticketmaster must audit computer abuse controls

Ticketmaster will pay a $10 million fine and agrees to implement both education and controls around compliance to prevent this from happening again.

"The Company has represented that it has put technical controls in place to block employees from using the Company's corporate systems to access password-protected areas of competitor websites, except where employees have a valid business need and authorization to do so.

The Company will assign responsibility to one or more senior corporate executives of the Company for the implementation and oversight of the Company's computer crime and competitor confidential information compliance code, policies and procedures.

Such corporate official(s) shall have the authority to report directly to independent monitoring bodies, including internal audit, the Company's Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of stature and autonomy from management as well as sufficient resources and authority to maintain such autonomy."

And under the deferred prosecution agreement with the U.S. Attorney's office in Eastern New York, Ticketmaster is required to submit annual reports on its compliance progress for three years.

There is more malfeasance listed in the 56-page agreement between the U.S. District Attorney's Office and Ticketmaster, if you want to learn more.

But in the meantime, hopefully this case will remind unethical companies about the following: even if you can't beat 'em, you still shouldn't hack 'em.

[RELATED: 3 Ways Ticketmaster Failed at Cybersecurity]

Tags: Hacking, Cyber Law,