Los Angeles – Ticketmaster, the Live Nation-owned ticket sales service, has become the subject of a class action lawsuit following a major security breach in April, which exposed personal data for millions of users. The breach involved unauthorized access to customers’ full names, addresses, emails, and credit card details, attributed to a group known as ShinyHunters, revealing vulnerabilities in Ticketmaster’s data security measures.
Legal action was initiated in a California federal court, accusing Ticketmaster of failing to implement sufficient cybersecurity protocols and to promptly notify the victims about their compromised data. This lawsuit alleges both negligence and insufficient vendor management procedures, reflecting a broader trend of escalating cyber attacks involving major companies.
ShinyHunters, the hacking group implicated in this attack, allegedly demanded a ransom of $500,000 to prevent selling the stolen information on the dark web. This incident spotlights the increasing professions of cyber attacks aimed at media and telecom sectors, impacting other big names like Disney, Roku, and AT&T throughout the year.
Plaintiffs have criticized Ticketmaster for not ensuring that its cloud computing vendor, Snowflake—although not named in the lawsuit—adopted stringent security measures. They argue that as cyber threats are well known, failing to safeguard sensitive data actively exposes it to significant risks.
The lawsuit further contends that Ticketmaster prolonged the retention of personal data which should have been deleted. Allegedly, the company has been selling personal information to business partners and data brokers, elevating the vulnerability of users to identity theft, fraud, and spam.
According to the filing, since 2020, ShinyHunters has pilfered over 900 million customer records from various companies. The hacker group allegedly assembles “Fullz” packages using the vast data at their disposal, crafting detailed personal profiles that can be sold on the black market. This comprehensive personal information facilitates the commission of fraud, including the unlawful procurement of false identification documents and accessing loans.
The lawsuit also expresses concerns over advancements in technology that enable cybercriminals to utilize deepfake technology and AI for intricate fraud schemes, further increasing the potential misuse of stolen data. It points out the burgeoning black market value for personal records, with certain information fetching prices as high as $360 each.
In the course of the ongoing legal battles, Ticketmaster and their parent company Live Nation have not issued statements regarding the allegations. The company’s handling of user data security is under more scrutiny than ever, especially following an antitrust lawsuit filed by the Justice Department shortly before the April cybersecurity incident.
Plaintiffs in the lawsuit are seeking damages exceeding $5 million and have levied additional legal claims against Ticketmaster, including unjust enrichment and breach of implied contract. They face what may equate to years of ongoing vigilance over their personal and financial records to mitigate the fallout from this breach. This case emphasizes the growing imperative for robust cybersecurity frameworks and responsive action to protect consumer data in an environment of increasingly sophisticated digital threats.